KARMA 6.0.0 SQL Injection Vulnerability

2018-12-17T00:00:00
ID 1337DAY-ID-31801
Type zdt
Reporter Ali Abdollahi
Modified 2018-12-17T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            CWE-89
Use CVE-2018-18399.

Credit: Ali Abdollahi
Description:
SQL injection vulnerability in the  "ContentPlaceHolder1_uxTitle" component
in ArchiveNews.aspx in jco.ir KARMA 6.0.0 allows a remote attacker to
execute arbitrary SQL commands via the "id" parameter.

 Reference:
> https://jco.ir/
> http://yon.ir/pHjDN

>
https://jco.ir/Product/Details/1054/%D8%B3%D8%A7%D9%85%D8%A7%D9%86%D9%87%20%D9%86%D8%B1%D9%85%20%D8%A7%D9%81%D8%B2%D8%A7%D8%B1%DB%8C%20%D9%86%D8%B8%D8%A7%D9%85%20%D9%BE%D8%B0%DB%8C%D8%B1%D8%B4%20%D9%88%20%D8%A8%D8%B1%D8%B1%D8%B3%DB%8C%20%D9%BE%DB%8C%D8%B4%D9%86%D9%87%D8%A7%D8%AF%D9%87%D8%A7%DB%8C%20%DA%A9%D8%A7

#  0day.today [2018-12-18]  #