CubeCart 3.0.4 - exploit.company

vendor:

CubeCart

by:

Dr.NeT @ Abdullah hacker team

8,8

CVSS

HIGH

SQL injection

CWE

Product Name: CubeCart

Affected Version From: 3.0.4

Affected Version To: 3.0.4

Patch Exists: NO

Related CWE: N/A

CPE: a:cubecart:cubecart:3.0.4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

CubeCart 3.0.4 <= SQL injection Vulnerabilities

An attacker can exploit this vulnerability by sending malicious SQL queries to the application. This can be done by manipulating the 'productId' parameter of the 'viewProd' action of the '_a' parameter. An attacker can use this vulnerability to access or modify the application's data, such as usernames and passwords, or even delete data.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

/////////////////((<? Dr.NeT @ Abdullah hacker team))//////////////
///
///#Title    : CubeCart 3.0.4 <= SQL injection Vulnerabilities 
///
///#Script   : CubeCart 3.0.4
///
///#Language : Php
///
///#Download : http://www.cubecart.com/
///
///#Date     : 2010/12/23
///
///#Version  : 3.0.4
///
///#Dork     : "Powered by CubeCart 3.0.4"
///
///#info     : Dr.NeT @ Abdullah hacker team : xdr.netx@gmail.com
///
//////////////////////////////////////////////////////////////////
///
///$$ Exploit -
///
/// http://loaclhost/index.php?_a=viewProd&productId=(SQL injection)
///
///@@ admin page 
/// 
///@@ http://loaclhost/admin
///
///
///
///
/// Greetz : Sport Evel , MR.bng ,Black Cobra,Abdullah hacker team,Mn7rf hacker, Mr.MoDaMeR,all muslam hackers
///                         ::: exit :::
/////////////////((Dr.NeT @ Abdullah hacker team?>))//////////////