--==+   AJ Auction <= 6.2.1 (classifide_ad.php) Remote SQL Injection Vulnerability   +==--

Discovered By: t0pP8uZz
Discovered On: 12 MAY 2008
Script Download: http://www.ajsquare.com/products/auction/index.php?auc=1
DORK: inurl:"classifide_ad.php"

Vendor Has Not Been Notified!


AJ Auction (all versions to date) suffers from a insecure mysql query, allowing a remote attacker,
to arbitrary inject mysql code/query.

the below injection will display the admin credentials.

SQL Injection's:



admin login is at /admin/

peace, t0pP8uZz

--==+   AJ Auction <= 6.2.1 (classifide_ad.php) Remote SQL Injection Vulnerability   +==--