########################################################################################
#______________________________________________________________________________________
# Exploit Title : Article Script SQL Injection Vulnerability
# Exploit Author : Linux Zone Research Team
# Vendor Homepage: http://articlesetup.com/
# Google Dork : inurl:/article.php?id= intext:Powered By Article Marketing
# Software Link : http://www.ArticleSetup.com/downloads/ArticleSetup-Latest.zip
# Date : 15-December-2015
# Version : (Version 1.00)
# CVE : NONE
# Tested On : Linux - Chrome
# Category : Web Application
# MY HOME : http://linux-zone.org/Forums - research@linux-zone.org
#______________________________________________________________________________________
#######################################################################################
#
# localHost/article.php?id=SQL
#______________________________________________________________________________________
## Vulnerability Code
".$categoryname."";
} else {
$displaycat = "".$categoryname."";
}
// if the category DOES have a parent
} else {
$query = "select * from categories where id=".$catparent;
$result = mysql_query($query,$connection) or die(mysql_error());
$info = mysql_fetch_array($result);
$parentname = $info['name'];
if ($seourls == 1) { $scrubparent = generate_seo_link($parentname); }
if ($seourls == 1) { // With SEO URLS
$displaycat = "".$parentname." >
".$categoryname."";
} else {
$displaycat = "".$parentname." >
".$categoryname."";
}
}
// Add a view to this article
$query = "select * from articleviews where articleid = ".$article;
$results = mysql_query($query,$connection) or die(mysql_error());
$viewinfo = mysql_fetch_array($results);
if ($viewinfo == NULL) {
$sql = "INSERT INTO articleviews VALUES (".$article.", 1)";
$query = mysql_query($sql);
} else {
$totalviews = $viewinfo['views'];
$totalviews++;
$sql = "UPDATE articleviews SET views=".$totalviews." WHERE `articleid`=".$article."";
$query = mysql_query($sql);
}
if ($seourls == 1) { // With SEO URLS
$authorlink = "".$authorname."";
} else {
$authorlink = "".$authorname."";
}
// Setup all template variables for display
$articletemp->set("authorname", $authorname);
$articletemp->set("authorlink", $authorlink);
$articletemp->set("date", $artdate);
$articletemp->set("displaycat", $displaycat);
$articletemp->set("views", $totalviews);
$articletemp->set("title", $title);
$articletemp->set("body", $body);
$articletemp->set("gravatar", $gravatar);
$articletemp->set("resource", $resource);
// For the adcode
$query = "select * from adboxes where id=1;";
$result = mysql_query($query,$connection) or die(mysql_error());
$info = mysql_fetch_assoc($result);
$articletemp->set("250adcode", stripslashes($info['adcode']));
// Outputs the homepage template!
echo $articletemp->output();
//Displays the comments -- if admin has them enabled
if($sitecomments == 0) {
echo "