UBB.threads 'showflat.php'SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1195603 漏洞类型 SQL注入
发布时间 2006-03-28 更新时间 2006-03-28
CVE编号 CVE-2006-1423 CNNVD-ID CNNVD-200603-450
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/83998
https://cxsecurity.com/issue/WLB-2006030115
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200603-450
|漏洞详情
在UBB.threads5.5.1,6.0br5,6.0.1,6.0.2及其早期版本的showflat.php中存在SQL注入漏洞,远程攻击者通过Number参数执行任意SQL命令。
|漏洞EXP
[+]UBBThreads 
[-]Founded By Moroccan Security Team
[+]we are [DaBDouB-MoSiKaR,simo64,ki11er,Dr.E-Vil,|ucifier]
[+]special 10x: to all friends SnIpEr_SA,Crash_OvEr_rIdE king-hacker,CiM-TeaM,ameer,Dranzelz,Esp!onLeRaVaGe and www.lezr.com
[+]Solution:Upgrade to a version 6.0.3
[-]exemple:http://[target]/ubbthreads/showflat.php?Cat=&Board=sciastro&N
umber=[sq]&page=0
[+]have nice day
|受影响的产品
UBBCentral UBB.threads 6.0.2 UBBCentral UBB.threads 5.5.1 UBBCentral UBB.threads 6.0.1 UBBCentral UBB.threads 6.0 Br5
|参考资料

来源:BUGTRAQ
名称:20060325UBBThreads<=5.5.1+6.0.2+6.0br5+6.0.1SQLinjection
链接:http://www.securityfocus.com/archive/1/archive/1/428833/100/0/threaded
来源:SREASON
名称:628
链接:http://securityreason.com/securityalert/628