T-dreams Announcement Script SQL injection Vulnerable

vendor:

Announcement Script

by:

Br0wn Sug4r

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Announcement Script

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Demo Site

2010

T-dreams Announcement Script SQL injection Vulnerable

T-dreams Announcement Script is vulnerable to SQL injection. An attacker can inject malicious SQL code into the 'key' parameter of the MainAnnounce2.asp page. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# Exploit Title: T-dreams Announcement Script SQL injection Vulnerable
# Date: 21-08-2010
# Author: Br0wn Sug4r
# Software Link: http://www.t-dreams.com/download/announce.zip
# Version: n/a
# Tested on: Demo Site
# category: webapp
# Code : n/a
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Greets to: R45c4l, Sid3^effects, Shobhit, L0rd CruSad3r, Vaibhav, Sonic,
           Yash, KD , Rohit Nambiar, Th3 RDx
           Sorry if i missed sum names... but greets to them too :)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
   Greetz To Team: I.C.W | Hackers Reunited | Indishell.in | ICA | AH
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
##############################################################################
%//

----- [ Founder ] -----

      Br0wn Sug4r

----- [ E - mail ] -----

   br0wn_sug4r@ymail.com


                                                       %\\
##############################################################################

##############################################################################
%//

----- [Title] -----

T-dreams Announcement Script SQL injection Vulnerable

----- [ Vendor ] -----

http://www.t-dreams.com/download/announce.zip

                                                        %\\
##############################################################################

##############################################################################
%//

----- [ Injection (s) ] -----

----- [ SQL Injection ] -----

Put [SQL CODE]

[Link] http://server/announcement/MainAnnounce2.asp?key=190[SQL CODE]


                                                        %\\
##############################################################################