sean finney on 27 Apr 2009 22:39:21 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] slightly off topic, joomla fireboard sql injection vulnerability?


okay, i was curious about this one:

On Mon, Apr 27, 2009 at 06:54:23PM -0400, Michael Lazin wrote:
> trator/index2.php HTTP/1.1" 200 142884 www.xxx.com "http://www.xxx.com/a
> dministrator/index2.php?option=com_content&sectionid=0&mosmsg=1%20\xe6\x9d\xa1\x
> e7\x9b\xae\xe6\x88\x90\xe5\x8a\x9f\xe5\xa4\x8d\xe5\x88\xb6\xe5\x88\xb0\xe5\x8d\x
> 95\xe5\x85\x83:%20\xe6\x89\x80\xe6\x9c\x89\xe6\x96\x87\xe7\xab\xa0,%20\xe5\x88\x
> 86\xe7\xb1\xbb:%20\xe5\x8a\xa0\xe6\x8b\xbf\xe5\xa4\xa7\xe7\x94\x9f\xe6\xb4\xbb"
> "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Alexa Toolbar)" "-"

while initially kinda scary, this doesn't look like shell code/exploit.  try
this:

printf '1 \xe6\x9d\xa1\xe7\x9b\xae\xe6\x88\x90\xe5\x8a\x9f\xe5\xa4\x8d\xe5\x88\xb6\xe5\x88\xb0\xe5\x8d\x95\xe5\x85\x83: \xe6\x89\x80\xe6\x9c\x89\xe6\x96\x87\xe7\xab\xa0, \xe5\x88\x86\xe7\xb1\xbb: \xe5\x8a\xa0\xe6\x8b\xbf\xe5\xa4\xa7\xe7\x94\x9f\xe6\xb4\xbb' > foo.txt

(%20 == space which i manually replaced)

cat foo.txt:
1 条目成功复制到单元: 所有文章, 分类: 加拿大生活

(for those without proper utf8 support, that's a blob of chinese text).

asking google to translate:

1 entry successfully copied to the unit: All articles, Category: Canada Life


	sean

-- 

Attachment: signature.asc
Description: Digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug