Sitex Sitex Sitex CMS SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1188980 漏洞类型 SQL注入
发布时间 2007-09-28 更新时间 2007-09-28
CVE编号 CVE-2007-5141 CNNVD-ID CNNVD-200709-437
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://www.securityfocus.com/bid/81578
https://cxsecurity.com/issue/WLB-2007090094
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200709-437
|漏洞详情
SiteXCMS0.7.3Beta版本中的search.php存在SQL注入漏洞,远程攻击者可以借助search参数执行任意SQL指令。
|漏洞EXP

[waraxe-2007-SA#055] - Sql Injection in SiteX CMS 0.7.3 Beta
====================================================================

Author: Janek Vind "waraxe"
Date: 27. September 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-55.html

Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://sitex.bjsintay.com/

SiteX is a versitile web tool that will enable you to start your own
dynamic website in under 5 minutes. Driven by PHP and MySQL, SiteX
consists of components common to most personal and professional websites.

Vulnerabilities: Sql Injection in "search.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Let's analyze "search.php" source code:

------------>[source code]<------------

if(isset($_GET['search']))
	$search = stripslashes($search);

$search = trim(stripslashes($search));
...
$sxPhotoResults = sxPhotoSearchResults($search);

------------>[/source code]<-----------

As we can see, stripslashes() is used against search string, so that
"magic_quotes" will not help against sql injection. And following function
"sxPhotoSearchResults()" is not sanitizing search string either.

So let's have a test:

http://victim.com/search.php?search=O'Brien

and we get nice error message:

SiteX experienced error #1 with an SQL bash readout of : You have an error
in your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near 
'Brien%' OR SiteX_Photos.name LIKE '%O'Brien%' OR
SiteX_Photos.description LIKE '' at line 2

Yep, sql injection exists here.  Now, some facts about this injection:

1. This seems to be exploitable only as blind sql injection. I have written
proof-of-concept exploit for this and it is working as expected.
2. "magic_quotes" does not matter, because "stripslashes()" is used.
3. "register_globals" is not important either, because attack comes from "$_GET".

Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb
and all other people who know me!
Greetings to Raido Kerna.
Tervitusi Torufoorumi rahvale!

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe (at) yahoo (dot) com [email concealed]
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

Shameless advertise:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Astronomy books - http://astronomy.oldreadings.com/
User Manuals - http://user-manuals.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------
|受影响的产品
SiteX Sitex Cms 0.7.3 beta
|参考资料

来源:MISC
链接:http://www.waraxe.us/advisory-55.html
来源:BUGTRAQ
名称:20070927[waraxe-2007-SA#055]-SqlInjectioninSiteXCMS0.7.3Beta
链接:http://www.securityfocus.com/archive/1/archive/1/480814/100/0/threaded
来源:XF
名称:sitex-search-sql-injection(36836)
链接:http://xforce.iss.net/xforce/xfdb/36836
来源:SREASON
名称:3178
链接:http://securityreason.com/securityalert/3178