BPHolidayLettings SQL Blind Vulnerabilities

vendor:

BPHolidayLettings

by:

OoN_Boy

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: BPHolidayLettings

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE: N/A

CPE: a:bpowerhouse:bpholidaylettings

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: ASP.NET 2.0, MSSQL 2005

2009

BPHolidayLettings SQL Blind Vulnerabilities

BPHolidayLettings is vulnerable to SQL injection. An attacker can inject malicious SQL queries into the application and execute them in the backend database. This can lead to unauthorized access to sensitive data, such as user credentials, and other confidential information.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

[x]========================================================================================================================================[x]
 |                                                      AntiSecurity[dot]org                                                                |
[x]========================================================================================================================================[x]
 | Title    : BPHolidayLettings SQL Blind Vulnerabilities                                                                                   | 
 | Software : BPHolidayLettings                                                                                                             |
 | Vendor   : http://bpowerhouse.info                                                                                                       |
 | Date     : 22 September 2009 ( Indonesia )                                                                                               |
 | Author   : OoN_Boy                                                                                                                       |
 | Contact  : oon.boy9@gmail.com                                                                                                            |
 | Web		: http://oonboy.info                                                                                                            |
 | Blog     : http://oonboy.blogspot.com                                                                                                    |
[x]========================================================================================================================================[x]
 | Technology	: ASP.NET 2.0                                                                                                               |
 | Database		: MSSQL 2005                                                                                                                |
 | Version		: 1.0                                                                                                                       |
 | License		: GNU GPL                                                                                                                   |
 | Price		: $28.50                                                                                                                    |
 | Description	:BPHolidayLettings Holiday Lettings Site Script where site users can search holiday lettings all over the world, check      |
 |				 availability and contact property owners. Owners can register and advertise properties for rent, mark available days,      |
 |				 upload pictures and receive bookings                                                                                       |
[x]========================================================================================================================================[x]
 | Google Dork : cari sendiri yah :)                                                                                                        |
[x]========================================================================================================================================[x]
 | Exploit 	: http://localhost.com/search.aspx?rid=[sql]                                                                                    |
			: http://localhost.com/search.aspx?tid=[sql]                                                                                    |
[x]========================================================================================================================================[x]
 | Greetz	: antisecurity.org batamhacker.or.id                                                                                            |
 |			  Vrs-hCk NoGe Paman zxvf Angela Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va                                   |
 | 			  k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere                              |
[x]========================================================================================================================================[x]
 | Note		: Selamat hariraya idul fitri mohon maaf lahir dan batin, maafin kesalahan ku selama ini yah all :)								|
 |			  kabur.... untuk sementara waktu.... bye bye.....																				|
[x]========================================================================================================================================[x]