[39408] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

a new sql injection for aspjar guestbook

daemon@ATHENA.MIT.EDU (arash_pc0@yahoo.com)
Mon Jul 4 18:04:46 2005

Date: 4 Jul 2005 20:48:33 -0000
Message-ID: <20050704204833.16955.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: arash_pc0@yahoo.com
To: bugtraq@securityfocus.com

hello , my name is: (arash setayeshi) & my yahoo id is : arash_pc0

I found a new vulnerability in aspjar guestbook that we can control website & go to admin control panel by (sql injection).

sql injection : in login page(guestbook/admin/login.asp) , username should be blank & password is : ' or 'x'='x . by this work we will be in admin control panel so :

username:(nothing)
password: ' or 'x'='x

this is new sql injection attack. i tested this bug and it is in all versions of aspjar guestbook

with special thanks
arash setayeshi
bye


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[39408] in bugtraq

a new sql injection for aspjar guestbook

daemon@ATHENA.MIT.EDU (arash_pc0@yahoo.com)Mon Jul 4 18:04:46 2005

daemon@ATHENA.MIT.EDU (arash_pc0@yahoo.com)
Mon Jul 4 18:04:46 2005