vendor:
MyMarket
by:
h0yt3r
7.5
CVSS
HIGH
Blind SQL Injection
89
CWE
Product Name: MyMarket
Affected Version From: 1.72
Affected Version To: 1.72
Patch Exists: NO
Related CWE: N/A
CPE: a:mymarket:mymarket:1.72
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: None
2009
MyMarket 1.72 Blind SQL Injection Exploit
MyMarket 1.72 is vulnerable to Blind SQL Injection. An attacker can exploit this vulnerability to gain access to the database and extract sensitive information such as usernames and passwords. The exploit requires a valid category ID and the password is stored in MD5, making it difficult to exploit. The exploit is done by sending unexpected values to the 'id' parameter and then using Union Selecting to extract the data.
Mitigation:
Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.