INVOhost - SQL Injection

EDB-ID:

11874

CVE:

2010-1336

EDB Verified:

Author:

Andrés Gómez

Type:

webapps

Exploit: /

Platform:

PHP

Date:

2010-03-25

Vulnerable App:

##########################[Andrés Gómez]##########################
# Exploit Title : INVOhost SQL Injection
# Date : 2010-04-24
# Author : Andrés Gómez

# Software Link : http://www.invohost.com/
# Contact : gomezandres@adinet.com.uy<mailto:gomezandres@adinet.com.uy>
# Dork : "Powered by INVOhost"

########################################################################
# An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the # integrity of your database and/or expose sensitive information.

########################################################################
# Example 1: http://server/site.php?id=%27
# Example 2: http://server/site.php?newlanguage=%00'
# Other files vulnerables: faq.php & manuals.php

########################################################################
# Malicious users may inject SQL querys into a vulnerable
# application to fool a user in order to gather data from them or see sensible information.
########################################################################
# Solution:

# $_GET = preg_replace("|([^\w\s\'])|i",'',$_GET);
# $_POST = preg_replace("|([^\w\s\'])|i",'',$_POST);

# Add them to your template index.php after the first <?php deceleration.
########################################################################
# Special Thanks : HYPERNETHOST & Security-Pentest

##########################[Andrés Gómez]#################################

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services