PostNuke FormExpress Module – Blind SQL Injection

• Exploit Database
• 82 阅读

• 作者： Ali Abbasi
  日期： 2010-03-17
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/11784/

• # Date: 17/03/2010
  # Software Link: http://sourceforge.net/projects/pn-formexpress/
  # Version: 0.3.2
  ####################################################################
  PostNuke ContentExpress Module Blind Sql Injection
  Reported by Sharif University of Technology CSIRT
  Vulnerability Analysis and Penetration Testing Group
  cert.sharif.edu , nsc.sharif.edu
  ####################################################################
  
  ===[ POC ]===
  Vulnerability occurred in form_id parameter of FormExpress Component in Postnuke
  /index.php?module=FormExpress&func=display_form&form_id=1'
  The Attacker could read content of the database via blind sql injection methods (like ascii(substring))
  ####################################################################
  
  -----
  Ali Abbasi
  

  Python

  Copy