ICloudCenter JobSite PHP Script SQL-i Vulnerability

2011-03-31 / 2011-04-01
Credit: **RoAd_KiLlEr**
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

=== ICloudCenter JobSite PHP Script SQL-i Vulnerability === 0 0 1 ########################################### 1 0 I'm **RoAd_KiLlEr** member from 1337 DAY Team 1 1 ########################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 [+]Title :.......ICloudCenter JobSite PHP Script SQL-i Vulnerability [+]Author :......**RoAd_KiLlEr** [+]Tested on :...Win Xp Sp 2/3 | Apache 2.0.64 | PHP: 5.3.5 --------------------------------------------------------------------------- [~] Founded by **RoAd_KiLlEr** [~] Team: Albanian Hacking Crew [~] Contact: sukihack[at]gmail[dot]com [~] Home: http://1337day.com [~] Vendor: http://www.icloudcenter.com [~] Technology: PHP5 [~] Database: MySQL [~] Version: 1.1 [~] License: GNU GPL [~] Price: $44.90 ==========ExPl0iT3d by **RoAd_KiLlEr**========== [+] Description: ICJobSite is a job site script where job-seekers can browse and apply for jobs by following the 5 step resume poster and employers or job recruiters to post their Jobs or view resumes. Administrator can manage the full site from administrator panel. Job Seekers can view a list of available positions, the list includes: Job title, description, name of company and the date the position was advertised. By clicking the job title it is possible to view a job the job with more details and start posting a resume. To post a resume the site user will have to fill out a 5 page form that includes: 1. Personal Details. 2. Training. 3. Employers and Functions. 4. Motivation. 5. Overview. ======================================== [ I ]. SQL-i Vulnerability +=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Input passed to the the "pid" parameter to "position_details" in the "index.php" is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. ========================================== [P0C]: http://127.0.0.1/icjobsite/index.php?page=position_details&pid=[SQL-Injection] [D3m0]: http://127.0.0.1/icjobsite/index.php?page=position_details&pid=[SQL-Injection] [+] TIME TABLE: 27 March 2011 - Vulnerability discovered. 27 March 2011 - Vendor Notified. 27 March 2011 - Sent to vendor all data. 29 March 2011 - Vendor Still Didnt replied. 30 March 2011 - Advisory released. ========== [!] Albanian Hacking Crew ========== [!] **RoAd_KiLlEr** ========== [!] MaiL: sukihack[at]gmail[dot]com ========== [!] Greetz To : Ton![w]indowS | X-n3t | The|DennY` | THE_1NV1S1BL3 | KHG & All Albanian/Kosova Hackers ========== [!] Spec Th4nks: r0073r | indoushka | DoNnY | MaFFiTeRRoR | All 1337day Members | And All My Friendz ========== [!] Red n'black i dress eagle on my chest It's good to be an ALBANIAN Keep my head up high for that flag I die Im proud to be an ALBANIAN ==========


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top