标题: PicoPublisher v2.0 Remote SQL injection 作者: ZeTH HdhCmsTest2cto测试数据 zeth/at/hacktheplan8/dot/com 开发者: Pico Software http://pico.no/ 影响版本 : 2.0 售价: $29,00 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: --[1]-- 介绍 PicoPublisher business software PicoPublisher is a product from Pico Software [管理你的网站] PicoPublisher makes it easy to manage your website. With the built in templates you can add columns, slideshows, tabs, boxes and videos directly from the text editor. [M管理你的顾客] CRM systems are often too expensive for small businesses. With PicoPublisher you can manage your customers just as easy as your website. And at the same place! [Create invoices] Create professional PDF invoices in seconds. Add products to the database and insert products to the invoice directly. You will get notifications when invoices are overdue. --[2]-- 缺陷描述 存在页面 : [+] page.php [+] single.php 攻击方法: Remote SQL injection POC : [+] http://HdhCmsTest2cto测试数据 /page.php?id=SQLi [+] http://HdhCmsTest2cto测试数据 /single.php?id=SQLi Tables : +-------------------+ | customers | expenses | gallery_category | gallery_photos | invoice_reminders | invoices | invoices_product | menu_items | menus | notes | options | orders | orders_product | pages | pico_comments | pico_config | pico_karma_voted | posts | product_list | users +-------------------+ --[3]-- 修复: 加强上述页面过滤
查看更多关于PicoPublisher v2.0远程SQL注射及修复 - 网站安全 - 自的详细内容...