FuzzyMonkey MyClassifieds Email变量SQL注入漏洞

FuzzyMonkey MyClassifieds Email变量SQL注入漏洞

漏洞ID 1107524 漏洞类型 SQL注入
发布时间 2003-10-21 更新时间 2003-12-31
图片[1]-FuzzyMonkey MyClassifieds Email变量SQL注入漏洞-安全小百科CVE编号 CVE-2003-1520
图片[2]-FuzzyMonkey MyClassifieds Email变量SQL注入漏洞-安全小百科CNNVD-ID CNNVD-200312-463
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/23269
https://cxsecurity.com/issue/WLB-2007100114
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-463
|漏洞详情
MyClassifiedsSQL是一款方便快捷构建站点论坛系统的脚本。MyClassifiedsSQL由于没有充分过滤用户提交的$email变量,远程攻击者可以利用这个漏洞进行SQL注入攻击,可以更改数据库信息或破坏数据库。攻击者提交恶意SQL代码到Email变量,可导致更改原来应用系统的SQL逻辑,如使软件写用户密码到一个全局可读的文件中,利用这些敏感信息进一步对系统进行攻击,也可以对数据库进行破坏操作。
|漏洞EXP
source: http://www.securityfocus.com/bid/8863/info

It has been reported that FuzzyMonkey MyClassifieds may be prone to a SQL injection vulnerability that may allow an attacker to disclose user passwords by supplying malicious SQL code to the Email variable. This attack may cause the software to write user password to a world readable file, which may be accessed to launch further attacker against a system.

A malicious user may influence database queries in order to view or modify sensitive information, and gain unauthorized access by disclosing user passwords therefore potentially compromising the software or the database.

MyClassifieds version 2.11 has been reported to be prone to this vulnerability, however other versions may be affected as well. 

If the value of $email is [email protected]' OR 1=1 INTO OUTFILE
'/<directory-path>/pass.txt, the SQL request becomes:

select passmd5 from people where email=' [email protected]' OR 1=1 INTO OUTFILE
'/<directory-path>/pass.txt'
|参考资料

来源:BID
名称:8863
链接:http://www.securityfocus.com/bid/8863
来源:BUGTRAQ
名称:20031021SQLInjectionVulnerabilityinFuzzyMonkeyMyClassifiedsSQLVersion
链接:http://www.securityfocus.com/archive/1/341908
来源:SREASON
名称:3293
链接:http://securityreason.com/securityalert/3293
来源:NSFOCUS
名称:5575
链接:http://www.nsfocus.net/vulndb/5575

相关推荐: XFree86 Xlib Display Buffer Overflow Vulnerability

XFree86 Xlib Display Buffer Overflow Vulnerability 漏洞ID 1103798 漏洞类型 Boundary Condition Error 发布时间 2000-10-12 更新时间 2000-10-12 CVE编…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享