LFI to RCE via access_log injection

Sinojet SQL Injection Vuln

[o] Sinojet SQL Injection Vulnerability
Software : Sinojet Script
Vendor : http://www.sinojet.net/

Author : NoGe


[o] Vulnerable file
product.php


[o] Exploit
http://localhost/[path]/product.php?id=[SQL]


[o] Proof Of Concept
http://www.wuzhoushanwang.com/en/product.php?id=1
http://www.guangchengal.com/en/product.php?id=9
http://www.gdtengfei.com/en/product.php?id=6


[o] Dork
"Powered by Sinojet"


[o] Note
private shop script again. -_-
if there is no result, try to inject with schemafuzz. :)
dont have schemafuzz?? you can download it here


Comments