咬定青山不放松,立根原在破岩中。千磨万击还坚劲,任尔东西南北风

© 竹意 | Powered by LOFTER

CVE-2015-2242 - Webshop hun v1.062S SQL Injection

来自:greenlife

CVE-2015-2242 - Webshop hun v1.062S SQL Injection Web Security Vulnerabilities - greenlife - 二逼年代的傻逼名

 

CVE-2015-2242 - Webshop hun v1.062S SQL Injection Web Security Vulnerabilities



Exploit Title: CVE-2015-2242 Webshop hun v1.062S /index.php Multiple Parameters SQL Injection Web Security Vulnerabilities

Product: Webshop hun

Vendor: Webshop hun

Vulnerable Versions: v1.062S

Tested Version: v1.062S

Advisory Publication: February 21, 2015

Latest Update: March 10, 2015

Vulnerability Type: Improper Control of Generation of Code ('Code Injection') [CWE-94]

CVE Reference: CVE-2015-2242

CVSS Severity (version 2.0):

CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Credit: Wang Jing [School of  Mathematical Sciences (001), University of Science and Technology of China (USTC)] (@justqdjing)

 








Persuasion Details:



(1) Vendor & Product Description:



Vendor:

Webshop hun



Product & Version:

Webshop hun

v1.062S



Vendor URL & Download:

Webshop hun can be token from here,

http://www.webshophun.hu/index



Product Introduction Overview:

Webshop hun is an online product sell web application system.


"If our webshop you want to distribute your products, but it is too expensive to find on the internet found solutions, select the Webshop Hun shop program and get web store for free and total maker banner must display at the bottom of the page 468x60 size. The download shop program, there is no product piece limit nor any quantitative restrictions, can be used immediately after installation video which we provide assistance.


"The Hun Shop store for a free for all. In our experience, the most dynamic web solutions ranging from our country. If the Webshop Hun own image does not suit you, you can also customize the look of some of the images and the corresponding text replacement, or an extra charge we can realize your ideas. The Webshop Hun pages search engine optimized. They made the Hun Shop web program to meet efficiency guidelines for the search engines. The pages are easy to read and contain no unnecessary HTML tags. Any web page is simply a few clicks away."






(2) Vulnerability Details:

Webshop hun web application has a computer security bug problem. It can be exploited by SQL Injection attacks. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

 

Several similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Webshop hun has patched some of them. Open Sourced Vulnerability Database (OSVDB) is an independent and open-sourced database. The goal of the project is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. The project promotes greater, open collaboration between companies and individuals. It has published suggestions, advisories, solutions details related to important vulnerabilities.


(2.1) The vulnerability occurs at "&termid" "&nyelv_id" parameters in "index.php?" page.







References:

http://seclists.org/fulldisclosure/2015/Mar/27

http://lists.openwall.net/full-disclosure/2015/03/05/6

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1667

http://packetstormsecurity.com/files/130656/Webshop-Hun-1.062S-SQL-Injection.html

https://progressive-comp.com/?l=full-disclosure&m=142551597501701&w=2

http://mathswift.blogspot.com/2015/05/cve-2015-2242-webshop-hun-v1062s-sql.html

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01739.html

https://itinfotechnology.wordpress.com/2015/03/04/webshop-hun-v1-062s-sql-injection-security-vulnerabilities/

http://lists.kde.org/?a=139222176300014&r=1&w=2

https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts/ix8RhPjqKBu

http://www.tetraph.com/blog/sql-injection-vulnerability/cve-2015-2242-webshop-hun-v1-062s/

https://twitter.com/justqdjing/status/597681322568454145

http://covertredirect.com/daily/

http://securitypost.tumblr.com/post/118684080442/cve-2015-2242-webshop-hun-v1-062s-sql-injection

http://itsecurity.lofter.com/post/1cfbf9e7_6ebf54e

http://webtechhut.blogspot.com/2015/05/cve-2015-2242-webshop-hun-v1062s-sql.html

https://hackertopic.wordpress.com/2015/05/11/cve-2015-2242-webshop-hun-v1-062s-sql-injection-web-security-vulnerabilities/

http://blog.163.com/greensun_2006/blog/static/11122112201541145543836/

https://www.facebook.com/websecuritiesnews/posts/791040474349458

http://www.weibo.com/5099722551/ChlUA5smp?type=comment


 
评论
 
回到顶部