BugTraq
ASP Cart [multiples injection sql (post & get)] Nov 14 2006 09:24PM
saps audit gmail com
vendor site: http://www.aspcart.com
product: ASP Cart
bug: multiples injection sql post & get
global risk: high !

injection get :
http://site.com/prodetails.asp?prodid='[sql]

injection (post) :

1)http://site.com/display.asp
Variables:
/display.asp?page='[sql]

2)http://site.com/addcart.asp
Variables:
/addcart.asp?custid='[sql]

3)http://site.com/addcart.asp
Variables:
/addcart.asp?custid=1&item='[sql]

4)http://site.com/addcart.asp
Variables:
/addcart.asp?custid=1&item=prout&price='[sql]

5)http://site.com/addcart.asp
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom='[sql]

6)http://site.com/addcart.asp
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom=yes&department='[sql]

7)http://site.com/addcart.asp
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom=yes&department=1289&s
tart='[sql]

8)http://site.com/addcart.asp
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom=yes&department=1
289&start=1&quantity='[sql]

9)http://site.com/addcart.asp
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom=yes&department=1
289&start=1&quantity=1&submit='[sql]

10)http://site.com/addcart.asp
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom=yes&department=1
289&start=1&quantity=1&submit=1&custom1='[sql]

11)http://site.com/addcart.asp
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom=yes&department=1
289&start=1&quantity=1&submit=1&custom1=1&custom2='[sql]

12)http://site.com/addcart.asp
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom=yes&department=1
289&start=1&quantity=1&submit=1&custom1=1&custom2=1&custom3='[sql]

12)http://site.com/payment.asp
Variables:
/payment.asp?customerid='[sql]

laurent gaffié & benjamin mossé
http://s-a-p.ca/
contact: saps.audit (at) gmail (dot) com [email concealed]

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus