FuzzyMonkey MyClassifieds Email变量SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107524 漏洞类型 SQL注入
发布时间 2003-10-21 更新时间 2003-12-31
CVE编号 CVE-2003-1520 CNNVD-ID CNNVD-200312-463
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/23269
https://cxsecurity.com/issue/WLB-2007100114
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-463
|漏洞详情
MyClassifiedsSQL是一款方便快捷构建站点论坛系统的脚本。MyClassifiedsSQL由于没有充分过滤用户提交的$email变量,远程攻击者可以利用这个漏洞进行SQL注入攻击,可以更改数据库信息或破坏数据库。攻击者提交恶意SQL代码到Email变量,可导致更改原来应用系统的SQL逻辑,如使软件写用户密码到一个全局可读的文件中,利用这些敏感信息进一步对系统进行攻击,也可以对数据库进行破坏操作。
|漏洞EXP
source: http://www.securityfocus.com/bid/8863/info

It has been reported that FuzzyMonkey MyClassifieds may be prone to a SQL injection vulnerability that may allow an attacker to disclose user passwords by supplying malicious SQL code to the Email variable. This attack may cause the software to write user password to a world readable file, which may be accessed to launch further attacker against a system.

A malicious user may influence database queries in order to view or modify sensitive information, and gain unauthorized access by disclosing user passwords therefore potentially compromising the software or the database.

MyClassifieds version 2.11 has been reported to be prone to this vulnerability, however other versions may be affected as well. 

If the value of $email is aaa@aaa.com' OR 1=1 INTO OUTFILE
'/<directory-path>/pass.txt, the SQL request becomes:

select passmd5 from people where email=' aaa@aaa.com' OR 1=1 INTO OUTFILE
'/<directory-path>/pass.txt'
|参考资料

来源:BID
名称:8863
链接:http://www.securityfocus.com/bid/8863
来源:BUGTRAQ
名称:20031021SQLInjectionVulnerabilityinFuzzyMonkeyMyClassifiedsSQLVersion
链接:http://www.securityfocus.com/archive/1/341908
来源:SREASON
名称:3293
链接:http://securityreason.com/securityalert/3293
来源:NSFOCUS
名称:5575
链接:http://www.nsfocus.net/vulndb/5575