snipe gallery Script Sql Injection

vendor:

Snipe Gallery

by:

dev!l ghost

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Snipe Gallery

Affected Version From: 3.1.5

Affected Version To: 3.1.5

Patch Exists: NO

Related CWE: None

CPE: a:snipe.net:snipe_gallery

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2010

snipe gallery Script Sql Injection

When You search with the dork you will find a lot of sites ,,enter site and you will find a lot of pictures enter any picture and the pot the(')and start the inject the inject is very easy

Mitigation:

Input validation and sanitization should be done to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title:   snipe gallery Script Sql Injection
# Date: 26/06/2010
# Author: dev!l ghost
# Email: aws(at)live(dot)it
# Site : www.h00forall.com
# Script url: http://sourceforge.net/projects/snipegallery/
# Version: 3.1.5
# Tested on: Windows
# CVE : ()
  
:::::::::::::::::::::::::
  
  
=================Exploit=================
DorK:(Snipe Gallery v.3.1.5 by Snipe.Net)

When You search with the dork you will find a lot of sites ,,enter
site and you will find a lot of pictures enter any picture and 
the pot the(')and start the inject

the inject is very easy 



----exploit----   

{{DeMo}}
http://www.example.com/snipe/image.php?page=1&search_type=and?_id=78(SQLI)

---------greatz----------
Greatz to all my frinds and the all muslims 
and Volc4n0 and Golden Ice and mr.ip
and the all