INVOhost SQL Injection Vulnerability

2010-03-25T00:00:00
ID 1337DAY-ID-11437
Type zdt
Reporter Andres Gomez
Modified 2010-03-25T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ====================================
INVOhost SQL Injection Vulnerability
====================================


##########################[Andr?s G?mez]##########################
# Exploit Title : INVOhost SQL Injection
# Author : Andres Gomez
 
# Software Link : http://www.invohost.com/
# Contact : [email protected]<mailto:[email protected]>
# Dork : "Powered by INVOhost"
 
########################################################################
# An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the # integrity of your database and/or expose sensitive information.
 
########################################################################
# Example 1: http://server/site.php?id=%27
# Example 2: http://server/site.php?newlanguage=%00'
# Other files vulnerables: faq.php & manuals.php
 
########################################################################
# Malicious users may inject SQL querys into a vulnerable
# application to fool a user in order to gather data from them or see sensible information.
########################################################################
# Solution:
 
# $_GET = preg_replace("|([^\w\s\'])|i",'',$_GET);
# $_POST = preg_replace("|([^\w\s\'])|i",'',$_POST);
 
# Add them to your template index.php after the first <?php deceleration.
########################################################################



#  0day.today [2018-01-03]  #