[-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-] Exploit Title : Newsletter 4.3 SQL Injection Vulnerability Exploit Author : Ashiyane Digital Security Team Vendor Homepage: www.conpresso.de - www.conpresso4.de Google Dork ONE: intext:Module Newsletter 4.3 Google Dork TWO: Module Newsletter 4.3 by www.conpresso4.de Date : 2015-05-21 Tested On : linux Kali + Windows Se7en Link Software : http://www.conpresso4.de/_data/cpo4_mod_newsletter_4.3e.zip [-][-][-][-][-][-][-][-][-][-] DESCRITION [-][-][-][-][-][-][-][-][-][-] newsletter Module SQL Injection Vulnerability Researched by Ashiyane Security Researcher Team [-][-][-][-][-][-][-][-][-][-] Location [-][-][-][-][-][-][-][-][-][-][-] http://localhost/[patch]/mod_newsletter/preview.php?action=preview&nr=( SQL ) [-][-][-][-][-][-][-][-][-] Vulnerability CODE [-][-][-][-][-][-][-][-][-] ======= includes/inc_preview.inc.php ======== <?php if (!defined('CPO')) exit; if (!is_numeric($_GET['nr'])) exit; $query = "SELECT commentary, verfallsdatum, templates_id, nr, idx, email, autor, pub_datum, titel, initial, freigabe " ."FROM ".CPO_NEWS." " ."WHERE nr=".(int)$_GET['nr']." "; DEBUG(2, $query, __FILE__, __LINE__); $db = new DB; $db->query($query); $db->next_record(); $db_template = $db->v('templates_id'); $db_nr = $db->v('nr'); $db_idx = $db->v('idx'); $db_email = $db->v('email'); $db_autor = $db->v('autor'); $db_pub_datum = $db->v('pub_datum'); $db_verfallsdatum = $db->v('verfallsdatum'); $db_commentary = $db->v('commentary'); $db_titel = $db->v('titel'); $db_initial = $db->v('initial'); $db_freigabe = $db->v('freigabe'); $pagetype = 'detail'; require(CPO_BASEDIR.$activeModules[$directory]['directory'].'/includes/inc_output.inc.php'); ?> [-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-] Discovered by : SeRaVo.BlackHat >> H.4.S.S.4.N << Special Tnx : Hamed Nikpour - Hesam Bazvand - H_SQLI.EMpiRe - Rezahck23 Mohammad habili - Alireza Akhtari - Und3rgr0und - EviL ShaDoW - ACCESS [-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-][-]