fusebox – ‘ProductList.cfm?CatDisplay’ SQL Injection

• Exploit Database
• 107 阅读

• 作者： Shamus
  日期： 2010-05-29
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/12786/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152

  ----------------------------------------------------------------------------------------- [AJS_ADVISORIES_01&2010] fusebox (ProductList.cfm?CatDisplay) Remote SQL Injection Vulnerability -----------------------------------------------------------------------------------------   Author : Shamus Date : May, 29 th 2010 Location : Solo && Jogjakarta, Indonesia Web: http://antijasakom.org/forum Critical Lvl : Moderate Impact : - Where: From Remote ---------------------------------------------------------------------------       Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~   Application : - version : - Vendor: http://www.fusebox.org/ download : http://www.fusebox.org/go/getting-started/downloading-fusebox Description : Fusebox is the most popular framework for building ColdFusion and PHP web applications. "Fuseboxers" find that the framework releases them from much of the drudgery of writing applications and enables them to focus their efforts on creating great, customer-focused software. --------------------------------------------------------------------------       Vulnerability: ~~~~~~~~~~~~ -   PoC/Exploit : ~~~~~~~~~~   http://127.0.0.1/ProductList.cfm?CatDisplay=1%27[SQL query] http://127.0.0.1/[path]/ProductList.cfm?CatDisplay=1%27[SQL query]     Dork: ~~~~~ Google : ProductList.cfm?CatDisplay     Solution: ~~~~~ - N/A.     Timeline: ~~~~~~~   - 25 - 05 - 2010 bug found - 29 - 05 - 2010 no vendor contacted - 29 - 05 - 2010 advisory release ---------------------------------------------------------------------------       Shoutz: ~~~~~~~   oO0::::: Greetz and Thanks: :::::0Oo. Tuhan YME My Parents SPYRO_KiD K-159 lirva32 newbie_campuz   And Also My LuvLy : ..::.E.Z.R (The deepest Love I'v ever had..).::..   in memorial : 1. Monique 2. Dewi S. 3. W. Devi Amelia 4. S. Anna   oO0:::A hearthy handshake to: :::0Oo ~ Crack SKY Staff ~ Echo staff ~ antijasakom staff ~ jatimcrew staff ~ whitecyber staff ~ lumajangcrew staff ~ unix_dbuger, boys_rvn1609, jaqk, byz9991, bius, g4pt3k, anharku, wandi, 5yn_4ck, kiddies, bom2, untouch ~ arthemist, opt1lc, m_beben, gitulaw, luvrie, poniman_coy, ThePuzci, x-ace, newbie_z, petunia, jomblo.k, hourexs_paloer, cupucyber, kucinghitam, black_samuraixxx, ucrit_penyu, wendys182, cybermuttaqin ~ k3nz0, thomas_ipt2007, blackpaper, nakuragen, candra ~ whitehat, wenkhairu, Agoes_doubleb, diki, lumajangcrew a.k.a adwisatya a.k.a xyberbreaker, wahyu_antijasakom ~ Cruz3N, mywisdom,flyff666, gunslinger_, ketek, chaer.newbie, petimati, gonzhack, spykit, xtr0nic, N4ck0, assadotcom, Qrembiezs, d4y4x ~ All people in SMAN 3 ~ All members of spyrozone ~ All members of echo ~ All members of newhack ~ All members of jatimcrew ~ All members of Anti-Jasakom ~ All members of whitecyber ~ All members of Devilzc0de #e-c-h-o, #K-elektronik, #newhack, #Solohackerlink, #YF, #defacer, #manadocoding, #jatimcrew, #antijasakom, #whitecyber, #devilzc0de ---------------------------------------------------------------------------       Contact: ~~~~~~~~~   Shamus : Shamus@antijasakom.org Homepage: http://antijasakom.org/forum/viewtopic.php?f=38&t=600   -------------------------------- [ EOF ] ----------------------------------