WsCMS SQL Injection Vulnerability [ Multiple Vulnerabilities ]

vendor:

WsCMS

by:

cyberlog

8,8

CVSS

HIGH

SQL Injection and XSS/HTML Injection

89,79

CWE

Product Name: WsCMS

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

WsCMS SQL Injection Vulnerability [ Multiple Vulnerabilities ]

The vulnerability exists in the WsCMS web application. An attacker can exploit the vulnerability by sending malicious SQL queries to the vulnerable parameters in the URL. An attacker can also exploit the XSS/HTML Injection vulnerability by sending malicious HTML code to the vulnerable parameter in the URL.

Mitigation:

Input validation should be done on the server-side to prevent malicious SQL queries and HTML code from being executed.

Source

Exploit-DB raw data:

===============================================
WsCMS SQL Injection Vulnerability [ Multiple Vulnerabilities ]
===============================================


               __                  __               
 .----..--.--.|  |--..-----..----.|  |.-----..-----.
 |  __||  |  ||  _  ||  -__||   _||  ||  _  ||  _  |
 |____||___  ||_____||_____||__|  |__||_____||___  |
       |_____|                               |_____|

####################################################
# WsCMS SQL Injection Vulnerability [ Multiple Vulnerabilities ]

####################################################
# Vendor: http://www.websolutions.ca/technologies.php?id=1
# Discovered by : cyberlog
# Site          : Sekuritionline.net
# Channel       : #SekuritiOnline [ Now Just My Bot ] :P

# Dork          : "Website by WebSolutions.ca "


# Exploit       : [site]/news.php?id=[SQL Injection]
		  [site]/staff.php?id=[SQL Injection]	
                  [site]/products.php?cid=[SQL Injection]
                  [site]/our_work.php?id= [SQL Injection]

# XSS/HTML Injection : [site]/news.php?id=<marquee><font color=red size=15>XSS</font></marquee>
                  
# Thanks        : r0073r,adhietslank, k1n9k0ng, cr4wl3r,cah_gemblunkz,
                  jayoes,thesims,setiawan,irvian,EA_Angel,BlueSpy,SoEy,A-technique,Jantap,KiLL,blindboy,sukam,
                  SarifJedul,wiro gendeng,Letjen,ridho_bugs,Ryan Kabrutz,Mathews,aurel666,Inoef,dbanie,

# special to Mama Sri Rahayu, Member& Staff Sekuritonline, C0li a.k.a antisecurity [ pinjem script perl-na ] :),
# Hiroyuki Doni thanks to create New design SO T-shirt :)P 
# Inj3ct0r Now Brothers with Sekuritionline
                
####################################################
# Demo: 
# http://localhost/news.php?id=[SQL Injection]
# http://localhost/news.php?id=<marquee><font color=red size=15>cyberlog bukan hacker :P</font></marquee>

####################################################

We never die !!!! indonesian Underground Community
!!!!! anjing buat oknum Pemerintah yang suka nilep uang rakyat !!!
!!!!! anjing juga buat admin site indon3sia yang merasa sok h3bat, dikasih tahu ada hole malah nyolot !!!!!

KacrUt I h@te U :P [ jika kau tidak mau aku katakan LOv3 ]
Give me NOCAN Brothers :P
am nt hacker just Lik3 Syst3m S3curity

 .-----..-----.|  |--..--.--..----.|__||  |_ |__|.-----..-----.|  ||__|.-----..-----.
 |__ --||  -__||    < |  |  ||   _||  ||   _||  ||  _  ||     ||  ||  ||     ||  -__|
 |_____||_____||__|__||_____||__|  |__||____||__||_____||__|__||__||__||__|__||_____|