Invision Gallery post.php 远程SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1195123 漏洞类型 SQL注入
发布时间 2006-05-04 更新时间 2006-05-05
CVE编号 CVE-2006-2202 CNNVD-ID CNNVD-200605-073
漏洞平台 N/A CVSS评分 6.4
|漏洞来源
https://cxsecurity.com/issue/WLB-2006050038
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200605-073
|漏洞详情
InvisionGallery是一种款流行的基于Web的图像管理系统。InvisionGallery实现上存在输入验证漏洞,远程攻击者可能利用此漏洞对服务器执行SQL注入攻击,非授权访问数据库。InvisionGallery的modules/gallery/post.php脚本没有对album变量值做充分的检查过滤,远程攻击者可以在变量值中插入SQL语句非授权访问数据,导致数据库破坏或信息泄露。
|漏洞EXP
[left]

Invision Gallery  2.0.6 ( SQL Injection )

File   :- modules/gallery/post.php

Line   :- 943

Bug By :- Devil-00

* Welcome Back ( Security4arab ) *

Arabian Security WebSites

www.s4a.cc

www.securitygurus.net

[php]

$this->ipsclass->DB->simple_construct( array( 'select' => 'COUNT(*) AS total', 'from' => 'gallery_images', 'where' => "album_id={$this->ipsclass->input['album']}" ) );

[/php]

$this->ipsclass->input['album'] = Unfilter Input

Exploit :-

Post New Image Then Edit POST Requset By HTTPLiveHeader

album=[SQL]

Fix :-

[php]

$this->ipsclass->DB->simple_construct( array( 'select' => 'COUNT(*) AS total', 'from' => 'gallery_images', 'where' => "album_id={".intval($this->ipsclass->input['album'])."}" ) );

[/php]

[/left]
|参考资料

来源:BID
名称:17793
链接:http://www.securityfocus.com/bid/17793
来源:SECUNIA
名称:19948
链接:http://secunia.com/advisories/19948
来源:BUGTRAQ
名称:20060502InvisionGallery2.0.6(SQLInjection)
链接:http://www.securityfocus.com/archive/1/archive/1/432731/100/0/threaded
来源:VUPEN
名称:ADV-2006-1655
链接:http://www.frsirt.com/english/advisories/2006/1655
来源:SECTRACK
名称:1016019
链接:http://securitytracker.com/id?1016019
来源:XF
名称:invisiongallery-album-sql-injection(26224)
链接:http://xforce.iss.net/xforce/xfdb/26224
来源:BUGTRAQ
名称:20060504Re:InvisionGallery2.0.6(SQLInjection)
链接:http://www.securityfocus.com/archive/1/archive/1/432952/100/0/threaded
来源:OSVDB
名称:25231
链接:http://www.osvdb.org/25231
来源:SREASON
名称:841
链接:http://securityreason.com/securityalert/841