注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

醉雨他乡游的博客

—— 记录生活中的点点滴滴, 开心与伤心, 回忆与憧憬, 成功与失败, 酸甜苦辣

 
 
 

日志

 
 

【转载】CVE-2014-9558 SmartCMS Multiple SQL Injection Security Vulnerability  

2015-02-11 14:31:55|  分类: 转载 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
CVE-2014-9558 SmartCMS Multiple SQL Injection Security Vulnerability
 
 

Exploit Title: Smartwebsites SmartCMS v.2 Multiple SQL Injection Security Vulnerabilities
Product: SmartCMS v.2
Vendor: Smartwebsites
Vulnerable Versions: v.2
Tested Version: v.2
Advisory Publication: Jan 22, 2015
Latest Update: Jan 22, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CWE-89)
CVE Reference: CVE-2014-9558
CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]

 

 
 
Advisory Details:
 
 
(1) Vendor & Product Description
 
Vendor: Smartwebsites
 
 
Product & Version: SmartCMS v.2

 

Vendor URL & Download:
 
 
Product Description:
“SmartCMS is one of the most user friendly and smart content management systems there is in the Cyprus market. It makes the content management of a webpage very easy and simple, regardless of the user’s technical skills.”
 
 
 
 
(2) Vulnerability Details:
SmartCMS v.2 has a security vulnerability. It can be exploited by SQL Injection attacks.
 
 
(2.1) The first vulnerability occurs at “index.php?” page with “pageid” “lang” multiple parameters.
 
 
(2.2) The second vulnerability occurs at “sitemap.php?” page with “pageid” “lang” multiple parameters.
 
 
 

 

 
 
References:
 
 
 
 
  评论这张
 
阅读(15)| 评论(0)
推荐
id="$_spanRecommml&prif i 8</a><br data-mce-bogus="1Cikediv 0"醉觰s="1" ></div><div><a data-mce-href="http://wwwo,&quo1ane.o22rtCMStglartas- _spanLike">喜欢 snllass="f-myLig"> clastwrap"> lt; ; &gbart;/div>&us ma
rightopg"> ; yoda://ss="ptcp"twrap"> gn:left;":#ff0000;font_zoom:1 id> ; $_0 bds2 clearfiBottomD
<
<
re-wrarfix 历史上的今天 s2 bdc0 i 8iv classeratebar rightopgratebara-mcesp;“
id;dati7 fw0 :087075;r="0":0;> 0;os t-siw:087075;ss="ptcp"au.lor data-mce-b re-wrarfix 最近读者 id;dati7 fw0 :087075;r="0":0;> 0;os t-siw:087075;ss; houote.co_spanLihouote. au.lorr data-mce-b re-wrarfix 热度 re-wrarfixs
f="http:.lofofts="pleft rdif"> 3s="pc07">阅读(max-r="0":78s="peraER://www.l//www5="p:#ff0000 /&c/=0; m di01 a-mcesratebara-mcesp;“; 4"> c07"ure/v/ss
idef="http:0 6pxfof5="p data-mce-bsp;“
> ss="pleft rdif"> eraER:/5="foft5="fo; 1="fsolid #d5d5d5;b-SQgr|阅读( 2s="pf="http://www16pxf//www.;c tar:#d7854e;langar:poius rp d关闭ns recomma-mce-b bar-
f="httpecorat2妹 c tar:#et="id=3 noul,iv> ,人人有奖!>c tar:#d7854e;c07">di01spagpo:.com/?aog/stt_20131023_04"> m/sharetext?act=q 要抢<>&nbsratebara-mceoperatebara-mcesratebara-mcesp;“="displ01 re-wrarfix/div> =0; /&lC> =eratebara-mceeratebara-mceebar-new"> /span> yoda://_">八招诀窍_zoom:1 ideratebar righteratebar rightebar-new"> arge ="1ratebar rigeratebar rieratebar reratebareratebarebar-new"> nbt=&ispa opec07"ote.8209408jp> 607s.p={ m:2,"shareToLofterFob:2,"shareToLofterFo4"> Pclosure/:'',"shareToLofterFoid:'085081085067083082" />
 
 
\njrate\njate\n>\njrate\njp\tiple SQL Injection Security Vulnerabilities
Product: SmartCMS v.2
Vendor: Smartwebsi\tes
Vulnerable Version\tesions: v.2<br> div\teson: v.2<br> Advisdiv\tetion: Jan 22, 2015&div\tet;div>ate: Jan 22, 2015<br&gdiv\teility Type: Improper Neutra',"shareToLofterFo /&ls=":'',"shareToLofterFo /&lg/s:' /<bpagc/xtj_20150420_05"> <',"shareToLofterFoisate: shed:1,"shareToLofterFoiInjp:false,"shareToLofterFoE9%9:0,"shareToLofterFomo" cyTim9:0,"shareToLofterFo絃OFTERTim9:142363631 <,"shareToLofterFowbr>fulld:' /<bpagc/xtj_20150420_05"> <',"shareToLofterFo01 ;<:0,"shareToLofterFodi01<:false,"shareToLofterFo-bogAddpan r{},"shareToLofterFoctio:'et=',"shareToLofterFom014)'',"shareToLofterFosrk:-ttp,"shareToLofterForemtipgoodnight /&l:false,"shareToLofterFoisBl-SQVatinje:false,"shareToLofterFoismmmlYoda:Ad:false,"shareToLofterFohbogInr><)'',"shareToLofterFohm014)'=',"shareToLofterFo9A%fRi01 mcurEnr>yatic /&law" & /&lrginheiB-muer="ix nb0" mar '"shareToLofter}"sha sp;“扫一扫wr>v2094y acla e="op rig {if x.mos Fut =='wap'}"sha ig rige //wwwo,wap quot; hr"ot;htt=0&clafocp; sratebar rigeratebar ri {i0"}"sha {094st}"sha .f6 al rcst${fn1(a.br> e sharetext?act=qb="disple-wr.v> og/stt_201310 /&lns.blog.1${a.br> ebar-new"> iusraosho&nb${a relfInr><| blostiple SQratebara-msp;“扫一扫bga 7"o-0 "shareToigebar-new"> mbganet> igeibar "share{i0"}"sha og/stt${f/23()}${el=closure/}/?npanstB/&lrb${fn(x.bkico,26)|<094 "share{i0"}"sha {094st}"sha
bar "share {l ta byed x}"sha {if !!x}"sha -msp;“扫一扫//wwwo, fcertCMSf4 ae="op rig-ms -msp;“扫一扫wr> acla e="op rig -ms sharetext?act=qboclafocp; -msibar "share-msibar "share {i0"}"sha {094st}"sha-msibar "share{if !!b&&b.length>0}"sha ep o_spanLie-w&nb他们还="t-了:/a>
ul "share{l ta byed y}"sha ig{if !!y}"sha ig-mslio_spanLirrbt;1"="displ//wwwoet>#183;>&275=&d sharetext?act=qborefst_201310 /&lndiv /${y.di01 <094 "share {00"}"sha {094st}"sha-msiul "share{00"}"sha ="displ;http:e-w t /> acla ;httpt;1&quo>e sharetext?act=qb="disple-w7m/whitog/stt${elreferB/&lg/s}rb${elreferB/&l Inje|<0275=&dibar "share -msbar-new"> t r ;httpt;1&quo>e sharetext?act=qb="disple-w7m/whitog/stt${elreferHom9Pspa}rb${elreferUr><0275=&dibar "share <094 "share{i94st}"sha-msiul "sha og/stt1730742 /&lndiv /${x.br><094 "share{00"}"sha {094st}"sha-- "shaec07"ote.8209408jp ; m-3-jst- og/stt1730742 /&lndiv /${x.br><094 "share{00"}"sha {094st}"sha sharetext?act=qborefst${el /&lg/s|lafat;/:""|<094 "share{00"}"sha {094st}"sha4}{b4-ak}{i0"}"shareTo{if !!x}"sha rigslio_spanLi acla=""shareTo rigs sharetext?act=qb og/stt_201310 /&lns.blog.1${elbr> ="disple-w og/stt${f/23()}${el=closure/}/rb${fn(x.skico,26)|<094 "share{i0"}"sha {094st}"sha15 ;http: acla ee ="displv> og/stt_20131001511123155311" /> ${ /&l&n.ltiB/&lPclosure/}/ae${ /&l&n.ltiB/&lTkico|<0bar "share {00"}"sha {if !!( /&l&n.n07"B/&lPclosure/)}"sha igCount">15 ; acla ee ="displv> og/stt_20131001511123155311" /> ${ /&l&n.n07"B/&lPclosure/}/ae${ /&l&n.n07"B/&lTkico|<0bar "share {00"}"sha hou i//wwwo, fcertCMSf4 ae="op rige <2094}/ae="op rig{if x.絃OFTERerUr><2094==datinje.br> sp;“扫一扫wr>v2094y acla e="op rig s sharetext?act=qboclafocp;<2094}/ae="op rig rig${fn(x.絃OFTERerNick2094,8)|"shareTosibar "share s houE9%9 {if x.s9%9==1} js-> s9%9{elseif x.s9%9==2} js-re9/&ls9%9{elseif x.s9%9==3} js- 9%9{else}{i0"}m/sharetext?act=q oclafocp;<2094}/ae>"sharesibar "share{00"}"sha {094st}"sha ttl 6> 0 bs; >"shareToigggggggggs "s c phhhhhhhsbc-s=http${bc-size(h07"lefts.bc-src,240,"ht,trus)}">"s c phhhhhhhsfL> ="displicos tt;1a275=&qu c phhhhhhhsfL> ="displian t;1"="displ/mgd acla e${h07"lefts.skico|&275=&da275=&qu cphhhhhhhsiv>"sc phhhhhhhsuss"sc phhhhhhh {if lafeftd('0 bs94st')&&0 bs94st.length>0}"sha phhhhhhhphhhhhhh{l ta 0 bs94styed x}"sha -mphhhhhhhphhhhh{if x_tiple>7}{b4-ak}{i0"}"sc phhhhhhh ggslio_spanLi acla ee &clafocp; downl://div0 bs=>"s cphhhhhhhphhhs 皊haretext?act=qboclafocp;"sc phhhhhhhsibar "share phhhhhsibar "sha uian tiple SQratebarphhh m &nbsratebarphhh _ gl0c;1abarf"sharesbar-; /&lPn 22cAcc| 絃OFTERtiple SQratebarphhh yoda://_me=
_zoom:1 ideratebar rigsbar-="displdc0 bdwtfc0s2fc04 >"shareTosbar-new"> casic;1abarf"shareggsbar-new"> 8iv class1abarf"share1abarf"sha closic;"shareToCount">15 dc0 /span>;1abarf"sha皊haretext?act=qb="displv> ="${el" ckNow"|>
;"sv div> PclosLre/ = t_201310 /&l0div /015111231529/</a>xtj_20150420_05"> s="s = t"; //ss="标签,以英文逗号分隔,如:"标签1,标签2""sv div> SrgePrefix = t_201310 /&l0div /01511123152"; //博客的主页地址,作为博客的唯一标识"sv div> Params = t&num=5&mo"e=3&pf= /&ldiv"; //num为默认显示的相关ss="数目,mo"e为默认的显示模式(1为ss字,2为图片,3为自动) d/Items";"sdItems">
e=blogex.php?pidget.div> 07"/r s==" httprs> r cr httprs> nbtmb lcr bh 275cic;"shareTosbar-new"> l bl bhrs> r >bhrs> c bc bh lcrrs> s=wl g lg httprs> s=wl t ltrs> s=wl b lbt;> dr g rg httprs> dr t rtrs> dr b rbt;> nbtotertC-smbt;1bar-new"> wkg h 275cic;1bar-new"> " ht;> r ht;> c ht;> nbtotertC-fo >"sha1bar-new"> wkg hc;"share

"share1bar-new"> k">hhhhhhsa r ="ites.comao_spanLiv> =&qu8>皊haretext?act=qbog/stt_201310yxp0div " 的照片书eiv>"shareTosfL> ="displ7">1 ae->&275=&"shareTo1 r ="ites.comao_spanLiv> =&qu8>皊haretext?act=qbog/stt_201310 /&l0div /絃OFTc/tht /ae博客风格eiv>"shareTosfL> ="displ7">1 ae->&275=&"shareTo1 r ="ites.comao_spanLiv> =&qu8>皊haretext?act=qbog/stt_201310 /&l0div /r>手机博客eiv>"shareTosfL> ="displ7">1 ae->&275=&"shareTo1 r ="ites.comao_spanLiv> =&qu8>皊haretext?act=qbog/stt_201310e-204"> app "shareTo"shareTo1ure/ r ="alt><20 rss/""from" valight" id="$_s7">1 ae->&275=&ight" id="$_s&qu8>; $_foot_subItembic;1fL> ="displ//wwwo,v> = =&qu8>>订阅此博客eiv>>&275=&"shared/barf"shhhhcopy;1997-dde8/a> IE 6];1abarf IE 6];1abarf nbtlayet="; /&l-div-01 nbttplrtC-=&isbdc0"><"; /&l-div-01:#ff0000.com/">hhec07"ote.8row; ="displfri//wwwo,275ci= >"sha1 <2094=${u}rb${u}/av>"s grprb${elg}/abar>"sharehhhh{l ta x.l ed y}"sha ig-ms "shhhhhh {094st}"sha-m {094st}"s

>"shawtipow.N = {tm:{'z72f':'.72f',"shareToLofterFohhhh'bdc0':'bdc0','bdc2':'bdc1',"s c ph'bgc0':'bgc0','bgc1':'bgc1','bgc2':'bgc2','bgh0':'bgc9',"s c ph'&qu0':'&qu3','&qu1':'&qu4','&qu2':'&qu5','&qu3':'&qu6','&qu4':'&qu7','&qu5':'&qu9'}};"shaDpan rervTim9 = '02/19tml&8 16:20:48';"sha/div> .api = '1730742apil /&l0div /';"sha/div> .msg = '1730742apil /&l0div /msg/ink';"sha/div> .ink = '1730742apil /&l0div /01511123152ink';"sha/div> .vcd = '1730742apil /&l0div /iap/iaptcha.jpgx?potentId=xtj_20150&r=';"sha/div> .mrt = '1730742b. .126.net/0 bpspat;bod=/mbox/';"sha/div> .fcer= '1730742osl /&l0div /01 .f60r= '1730742b. .126.net/01 .f14 = '1730742b. .126.net/01 .f40r= /div> .f14 ;"sha/div> .adf14 = '1730742b. .126.net/01 .ept = '1730742b. .126.net/01 .gucla_prof fm_add= '1730742b. .126.net/01 .phtoto_d4-amr= '1730742phcto.d4-am0div / /&l/wrrgeB/&lC/r?b-SQati';"shawtipow.CFr= {"shareca:false"shar,m87:-3"shar,cb)''"shar,cc:false"shar,cd:false"shar,c0)'-3'"shar,ck:0"shar,ci:['apil /&l0div '"shareToL,'1730742phcto.div /phcto/html/crossdomcun.html?t=ml&00 5'"shareToL "sharhhhhh,'udl /&l0div '"shareToL "sharhhhhh"sharhhhhh"sharhhhhh]"shar,cj:[-3]"shar,cs:''"shar,cm:["", /&l/", al um/", musgc/", c tlelogon/", there;/", prof fm/", pprhtt/", ", 4"> archiv /a]"shar,cf:0"shar,c r{pv:false"sharhhhh,ti://8626089"sharhhhh,t4)''"sharhhhh,tc:0"sharhhhh,tl:3"sharhhhh,ut:0"sharhhhh,u4)''"sharhhhh,um)''"sharhhhh,ui:0"sharhhhh,ud:trus}"shar,cp:{nr:1"sharhhhh,cr:1"sharhhhh,vr:-ttp"sharhhhh,fr:0}"sha ,cs:0"shar,ct:{'nav':['首页','日志','相册','音乐','收藏','博友','关于我','3 noul'],'t;_bled':[0,",6],'lafat;/nav':potseInr('11111111',2)}"shar,cu:false"shar,cv:false"shar,cw:false"sha};"shawtipow.UDr= {};"shaUD.hbogr= {"share ur><:'他'"sharhh,emcur:'justqd冲印@div '"sharhh,phctodivNow":'justqd冲印'"sharhh,phctodivHbogNow":'justqd冲印'"sharhh,TOKEN_HTMLMODULE)''"sharhh,isMt;/iUr><:trus"sharhh,sRhtt:-ttp"sha};"s1aItems";"shhhhdItems">
e=blogex.php?b1. .126.net/0 bpspatr/j/pc.js?v=1517298598354t;1aItems";"shhhhdItems">
e=blogex.php?b1. .126.net/0 bpspatr/j/m/m-3/pm.js?v=1517298598354t;1aItems";"shhdItems">=http://essaanalyagcs0div /us s.jsh s9%9="c07"/javaItems"t;1aItems";"shhdItems">s9%9="c07"/javaItems"t;"sharh_us s_nacc=' /&l';neteasiTrblker();"sha="pright0 b Imspa().=htr= '1730742 /&l0div /u bpspatimspas/analyse.p g?s=p&t='+0 b Dpan().getTim9();"sha1aItems";"sdItems">"swtipow.tioTim9out(funlogon(){"sha(funlogon(i,s,o,g,r,a,m){i['Googl0AnalyagcsObjelo']=r;i[r]=i[r]||funlogon(){"sha(i[r].q=i[r].q||[]).絃sh(haru s)},i[r].l=1*0 b Dpan();a=s.c4-ateEht (o),"sham=s.getEht sBys="Now"(o)[0];a.async=1;a.=httg;m.potentNo"eartr> .ink,'MusgcBeanNew','IetCopy MusgcS015gonTokef',false);"sc},&000);"s1aItems";"s"s"s1Items">"swtipow.tioTim9out(funlogon(){"sha r ruemprr= docp .c4-ateEht ('Items"');"shhhhruempr.asyncr= 1;"shhhhruempr.=htr= '1730742 1. .126.net/0 breg-siw/r s/js29/&l_aswlf_V3_1.js';"sha docp .body.app/66Child(ruempr);"shhhh },300);"s"s1aItems"; "sharhdItems">s9%9="c07"/javaItems"te=blog/0 bpspatltiuE9co"e/ltitt cy.jsh;1aItems";"s"s"s