header-logo
Suggest Exploit
vendor:
Auto Car - Car listing Script
by:
Bora Bozdogan
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Auto Car - Car listing Script
Affected Version From: 1.1
Affected Version To: 1.1
Patch Exists: NO
Related CWE: N/A
CPE: a:kamleshyadav:auto_car:1.1
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: WiN10_X64
2017

Auto Car – Car listing Script 1.1 – SQL Injection

Auto Car - Car listing Script 1.1 is vulnerable to SQL Injection. An attacker can inject malicious SQL queries via the 'category' parameter in the 'search-cars' page. This can be exploited to dump the database contents, including the usernames, passwords, first and last names, and emails of the users.

Mitigation:

Input validation should be used to prevent SQL injection attacks.
Source

Exploit-DB raw data:

# #
# Exploit Title: Auto Car - Car listing Script 1.1 - SQL Injection
# Dork: N/A
# Date: 25.08.2017
# Vendor: http://kamleshyadav.com/
# Software Link: https://codecanyon.net/item/auto-car-car-listing-script/19221368
# Demo: http://kamleshyadav.com/scripts/autocar_preview/
# Version: 1.1
# Tested on: WiN10_X64
# Exploit Author: Bora Bozdogan
# Author WebSite : http://borabozdogan.net.tr
# Author E-mail : borayazilim45@mit.tc
# #	
# POC:
# 
# http://localhost/[PATH]/search-cars?category=[SQL]
# ts_user
#  user_uname
#  user_fname
#  user_lname
#  user_email
#  user_pwd
# #

Navigation

Suggest Exploit

Services By CQR