CVE-2009-3968

ITechBids 8.0 - SQL Injection via User ID, Category ID, News ID, or Product ID Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-3968. PoCs published by Mr.SQL.

AI-analyzed exploit summary This Perl script exploits a blind SQL injection vulnerability in ITechBids v8.0 by extracting the admin password hash character-by-character via time-based or boolean-based techniques. It targets the 'productid' parameter in 'itechd.php' and uses LWP::UserAgent for HTTP requests.

Description

Multiple SQL injection vulnerabilities in ITechBids 8.0 allow remote attackers to execute arbitrary SQL commands via the (1) user_id parameter to feedback.php, (2) cate_id parameter to category.php, (3) id parameter to news.php, and (4) productid parameter to itechd.php. NOTE: the sellers_othersitem.php, classifieds.php, and shop.php vectors are already covered by CVE-2008-3238.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Mr.SQL · perlwebappsphp
https://www.exploit-db.com/exploits/9497

This Perl script exploits a blind SQL injection vulnerability in ITechBids v8.0 by extracting the admin password hash character-by-character via time-based or boolean-based techniques. It targets the 'productid' parameter in 'itechd.php' and uses LWP::UserAgent for HTTP requests.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: ITechBids v8.0
No auth needed
Prerequisites: Network access to the target web application · Knowledge of a valid productid value
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/9497
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36437

Scores

EPSS 0.0093
EPSS Percentile 55.7%

Details

CWE
CWE-89
Status published
Products (1)
itechscripts/itechbids 8.0
Published Nov 18, 2009
Tracked Since Feb 18, 2026