[+] Sql Injection on CMS ContWEB - ATI [+] Date: 02/07/2014 [+] CWE Number : CWE-89 [+] Risk: High [+] Author: Felipe Andrian Peixoto [+] Vendor Homepage: http://www.ati.pi.gov.br/ [+] Contact: felipe_andrian@hotmail.com [+] Tested on: Windows 7 and Linux [+] Vulnerable File: album.php [+} Dork : inurl:album.php?id= + pi.gov.br [+] Exploit : http://host/album.php?id=[SQL Injection] [+] PoC: http://www.setre2.pi.gov.br/album.php?id=69 http://www.cec.pi.gov.br/album.php?id=45 http://www.eletrobraspiaui.com/album.php?id=35 [+] Admin Page: http://host/adm/