[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Gekko CMS (SQL Injection) Vulnerability

Author
[]0iZy5
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-13060
Category
web applications
Date add
29-06-2010
Platform
php
=======================================
Gekko CMS (SQL Injection) Vulnerability 
=======================================

##################################################################
##################################################################
#          ___   ___  _   _____        __                   _    #
#         / _ \ / _ \| | |  __ \      / _|                 | |   #
#    _ __| | | | | | | |_| |  | | ___| |_ __ _  ___ ___  __| |   #
#   | '__| | | | | | | __| |  | |/ _ \  _/ _` |/ __/ _ \/ _` |   #
#   | |  | |_| | |_| | |_| |__| |  __/ || (_| | (_|  __/ (_| |   #
#   |_|   \___/ \___/ \__|_____/ \___|_| \__,_|\___\___|\__,_|   #
#                                                                #
#                                                                #
#                                             +-+-+-+-+          #
#                                             |C|r|e|w|          #
#                                             +-+-+-+-+          #
##################################################################
##################################################################
# [#] Gekko CMS (SQL Injection) Vulnerability                    #
# [#] Discovered By []0iZy5                                      #
# [#] http://r00tDefaced.com                                     #
# [#] Greetz: sHoKeD-bYte, Gn0515, Nex & r00tDefaced Members     #
##################################################################
#
# [2]-SQL injection
#
# Vulnerability Description:
#               SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an #application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL #statements or user input is not strongly typed and thereby unexpectedly executed.
#
# Affected items:
#          http://127.0.0.1/path/search/?cvx=[SQL Injection]
#          http://127.0.0.1/path/search/?uid=[SQL Injection]
#          http://127.0.0.1/path/search/action/search/?cvx=[SQL Injection]
#          http://127.0.0.1/path/search/action/search/?uid=[SQL Injection]
#
# Example: -1+ORDER+BY+1-- [You can find the number of columns (Well just incrementing the number until we get an error.)]
#
# The Risk:
#     By exploiting this vulnerability, an attacker can inject malicious code in the script and can have access to the database.
#
# Fix the vulnerability:
#     To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead, parametrized statements must be used #(preferred), or user input must be carefully escaped or filtered.
#
#################################################################
#################################################################



#  0day.today [2024-12-24]  #