TOPHangman SQL and HTML Injection Vulnerabilities

vendor:

TOPHangman

by:

Unknown

7.5

CVSS

HIGH

SQL Injection, HTML Injection

CWE

Product Name: TOPHangman

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

Unknown

TOPHangman SQL and HTML Injection Vulnerabilities

The TOPHangman application fails to properly sanitize user-supplied input, leading to SQL and HTML injection vulnerabilities. An attacker can exploit these vulnerabilities to compromise the application, access or modify data, exploit other latent vulnerabilities in the database, or execute arbitrary script code in the context of an unsuspecting user's browser. This can result in stealing authentication credentials, controlling the site's appearance, and launching further attacks.

Mitigation:

To mitigate these vulnerabilities, it is recommended to implement proper input validation and sanitization techniques. Input should be validated and sanitized before being used in SQL queries or displayed on web pages.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/43513/info

TOPHangman is prone to an SQL-injection vulnerability and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker may leverage these issues to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is viewed, and launch other attacks. 

http://www.example.com/hangman/index.php?letters=A&n=1%20and%201=1+AND%20SUBSTRING(@@version,1,1)=5 TRUE
http://www.example.com/hangman/index.php?letters=A&n=1%20and%201=1+AND%20SUBSTRING(@@version,1,1)=4 FALSE
http://www.example.com/hangman/index.php?letters=A&n=1%20and%201=1+union+select+1,version()--