HauntmAx CMS SQLi Vulnerability

vendor:

HauntmAx CMS

by:

Sid3^effects aKa HaRi

CVSS

HIGH

SQL Injection

CWE

Product Name: HauntmAx CMS

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: YES

Related CWE: CVE-2010-2090

CPE: a:hauntmax:hauntmax_cms

Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0602/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux,Windows

2010

HauntmAx CMS SQLi Vulnerability

HauntmAx CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Mitigation:

Upgrade to the latest version of HauntmAx CMS

Source

Exploit-DB raw data:

        ==================================
         HauntmAx CMS SQLi Vulnerability
        ==================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : Inj3ct0r.com                                  0
1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1
0                                                                      0
1               ##########################################             1
0               I'm Sid3^effects member from Inj3ct0r Team             1
1               ##########################################             0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

Name : HauntmAx CMS SQLi Vulnerability
Date : june, 9 2010
Vendor url :http://www.hauntmax.com/
Platform: Linux,Windows
Price: $200 
Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>
special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,gunslinger_
greetz to :All ICW members.

###############################################################################################################
Description:

HauntmAx CMS Haunted House Directory Listing

     * Visit Publisher Site
     * Need help with this script?
     * Hire a Hot Scripts Consultant

HauntmAx CMS is the first Content Management System of its kind that lets you build your own Haunted House Directory web site without having to write code from scratch. Easy menu driven web builder allows you to create a local area, state, country or even global listing with an automated user input system. Haunt owners can update their own listing with authorized account management capabilities. Make Money!!! * Selling Advertising * Selling Prime Haunt Listing Space * Drive Traffic to Your Site Or just provide a needed service to the haunt community near you. HauntmAx CMS can have your Haunted House Directory up and running in no time at all. 

###############################################################################################################

Xploit: SQLi Vulnerability

Example :http://[site]/index.php?c_action=listings&state=%272

###############################################################################################################
# 0day no more 
# Sid3^effects