Simple Customer 'login.phpl' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116755 漏洞类型 SQL注入
发布时间 2008-11-17 更新时间 2009-03-11
CVE编号 CVE-2008-6326 CNNVD-ID CNNVD-200902-643
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7146
https://www.securityfocus.com/bid/34043
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-643
|漏洞详情
SimpleCustomer是一款客户管理工具。SimpleCustomer的login.php中存在SQL注入漏洞。远程攻击者可以借助电子邮件参数,执行任意SQL指令。
|漏洞EXP
###############################################################################################
[-] Simple Customer  1.2 Remort (Auth bypass) SQL Injection Vulnerability
[-] Discovered By : d3b4g        
[-] Greetz : All my freind         
################################################################################################
 Go to www.target.com[path]login.php

 Use following information to bypass login.

 Write any email Address as email address.It must to be in email format like somethin@something.com

 For exapmple letmein@inbox.com

 For password use ' or ' 1=1

  Live demo [at] http://www.simplecustomer.com/demo/login.php
--------------------------------------------
--------------------------------------------

# milw0rm.com [2008-11-17]
|受影响的产品
Simple Customer Simple Customer 1.2
|参考资料

来源:XF
名称:simplecustomer-login-sql-injection(46675)
链接:http://xforce.iss.net/xforce/xfdb/46675
来源:OSVDB
名称:49916
链接:http://www.osvdb.org/49916
来源:SECUNIA
名称:32727
链接:http://secunia.com/advisories/32727