RW-Download v4.0.6 (index.php) SQL Injection Vulnerability

vendor:

RW-Download

by:

Dr.Net

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: RW-Download

Affected Version From: 4.0.6

Affected Version To: 4.0.6

Patch Exists: NO

Related CWE: N/A

CPE: a:rw-download:rw-download:4.0.6

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

RW-Download v4.0.6 (index.php) SQL Injection Vulnerability

An attacker can exploit this vulnerability by sending malicious SQL queries to the vulnerable parameter 'dlid' in the 'index.php' page. This can be used to extract sensitive information from the database or even modify the database content.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

/////////////////////////_Dr.NeT_/////////////////////////////////_Dr.NeT_//////////////////////_Dr.NeT_//////////*
//*Title   ||=> RW-Download v4.0.6 => (index.php) SQL Injection Vulnerability                                    //
//*Secript ||=> RW-Download                                                                                      //
//*Language||=> Php                                                                                              //
//*Download||=> http://traidnt.net/vb/attachment.php?attachmentid=72765&d=1157806602                             //
//*Date    ||=> 2011-01-30                                                                                       //
//*version ||=> 4.0.6                                                                                            //
//*D0rk    ||=> "Powered by RW-Download v4.0.6"                                                                  //
//*info    ||=> By Dr.Net , Abdullah hacker team , || My Email : xdr.netx@Gmail.com                              //
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////*
//*Exploit                                                                                                       //
// ///////                                                                                                       //
// |=> http://localhost/index.php?dlid=1 <== { SQL Injection }                                                   //
// ///////                                                                                                       //
//*Admin Page                                                                                                    //
// |=> http://localhost/admin.php                                                                                //
////                                                                                                             //
//                                                                                                               //
//*Greetz:Black Cobra,Dr.Crackers,Sport Evel,MR.bng,Abdullah hacker team,Mn7rf hacker,toba,nO.wR3a4n,ALL Friend  ||
//////////////////////////////////////////////////////////////////////////////////////////////////////////////// //
/////////////////////////_Dr.NeT_/////////////////////////////////_Dr.NeT_//////////////////////_Dr.NeT_//////////*