Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [+] Author: TUNISIAN CYBER
- [+] Exploit Title: NoticeBoardPro v1.X SQL Injection vulnerability
- [+] Date: 27-12-2013
- [+] Category: WebApp
- [+] Google Dork: n/a
- [+] Tested on: KaliLinux
- [+] Vendor: http://www.noticeboardpro.com/
- ########################################################################################
- +Description:
- NoticeBoardPro is an online, web-based, notice / bulletin board system that acts as a market place and lets you advertise.
- +Exploit:
- NoticeBoardPro Suffers from an SQL Injection vulnerability.
- File(s): deleteItem3.php
- deleteItem2.php
- deleteItem1.php
- Parameter:noticeID
- userID
- [PHP]
- $noticeID=$_GET['noticeID'];
- $userID=$_GET['userID'];
- mysql_connect("$hostName", "$dbusername", "$dbpassword");
- $result1 = mysql_query("SELECT * FROM $databaseName.notice_nbp where $databaseName.notice_nbp.noticeID = '$noticeID' and $databaseName.notice_nbp.userID = '$userID'");
- $result = mysql_query("DELETE FROM $databaseName.notice_nbp where $databaseName.notice_nbp.noticeID = '$noticeID' and $databaseName.notice_nbp.userID = '$userID'");
- [PHP]
- P.O.C:
- http://127.0.0.1/NoticeBoardPro/deleteItem3.php?noticeID=&userID=[SQL]
- ./3nD
- ########################################################################################
- Greets to: XMaX-tn, N43il HacK3r, XtechSEt
- Sec4Ever Members:
- DamaneDz
- UzunDz
- GEOIX
- ########################################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
