LIOOSYS CMS (news.php) SQL Injection Vulnerability

vendor:

CMS

by:

GlaDiaT0R

8,8

CVSS

HIGH

SQL Injection

CWE

Product Name: CMS

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

LIOOSYS CMS (news.php) SQL Injection Vulnerability

A SQL injection vulnerability exists in LIOOSYS CMS, which could allow an attacker to execute arbitrary SQL commands on the underlying database. The vulnerability is due to insufficient sanitization of user-supplied input in the 'id' parameter of the 'news.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL commands to the vulnerable script. Successful exploitation could result in unauthorized access to sensitive information or allow an attacker to modify data in the database.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized before being used in SQL queries.

Source

Exploit-DB raw data:

##############################################################################
# [+]Title: [LIOOSYS CMS (news.php) SQL Injection Vulnerability]
##############################################################################
# [+] About :
##############################################################################
# Author : GlaDiaT0R
# Contact: the_gl4di4t0r[AT]hotmail[DOT]com or berrahal.ryadh[AT]gmail[DOT]com
# Team : Tunisian Power Team
# Greetz : ALLAH ! , Boomrang_victim, Marwen_Neo, Alphanix, Zigma & my friends
##############################################################################
# Software Link: http://www.lioosys.pl/
# Google dork : Ennay! In ur dreams
# Category: webapps/0day
##############################################################################


=======================

Poc : http://localhost.com/path/news/news.php?id=[SQLi]

=======================