VBZooM SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1189950 漏洞类型 SQL注入
发布时间 2007-07-05 更新时间 2007-07-05
CVE编号 CVE-2007-3588 CNNVD-ID CNNVD-200707-088
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://www.securityfocus.com/bid/81649
https://cxsecurity.com/issue/WLB-2007070016
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200707-088
|漏洞详情
VBZooM1.12版本的reply.php中存在SQL注入漏洞。远程攻击者可以借助对sub-join.php的Userid参数,执行任意SQL指令。注意:该漏洞可能与CVE-2006-3691.4相同。
|漏洞EXP
Discovered By: Hasadya Raed
Contact : RaeD (at) BsdMail (dot) Com [email concealed]
Israel
---------------------------
Script : VBZooM V1.12
VBZooM V1.12 "reply.php" SQL Injection
Dork : POWERED BY VBZooM V1.12
---------------------------
B.File : reply.php
---------------------------
Exploit : 
http://www.victim.com/Path_Script/sub-join.php?UserID=[SQL Injection]
|受影响的产品
VBZoom VBZoom 1.12
|参考资料

来源:BUGTRAQ
名称:20070629SQLInjectionInScriptVBZooMV1.12
链接:http://www.securityfocus.com/archive/1/archive/1/472510/100/0/threaded
来源:XF
名称:vbzoom-reply-sql-injection(35171)
链接:http://xforce.iss.net/xforce/xfdb/35171
来源:SREASON
名称:2861
链接:http://securityreason.com/securityalert/2861