Shopping Cart Script with Affiliate Program SQL Injection

vendor:

Shopping Cart Script with Affiliate Program

by:

L0rd CrusAd3r aka VSN

7,5

CVSS

HIGH

SQLi Vulnerability

CWE

Product Name: Shopping Cart Script with Affiliate Program

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: No

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Shopping Cart Script with Affiliate Program SQL Injection

Whether you want to sell digital or physical products, this fully featured shopping cart script is the perfect solution for managing your business. With a simple, straightforward administration area, you can add as many categories and products as you wish, view pending order, past orders, and email customers. But even better, you can attract affiliates to promote your online store, and make either a percentage commission or flat rate commission per sale down to 3 levels as preferred. Emailing affiliates is as simple as clicking a few buttons, and typing in your message. This quality script includes built-in product search capability to enable your customers to find exactly what they're looking for quick smart, and shows featured products with associated images. You can even offer up to 5 merchant programs for the convenience of your shoppers. Truly a jam packed script with many attractive features that you should check out today! The vulnerability is a SQLi vulnerability which can be exploited by sending a malicious SQL query to the server via the URL http://server/shopcart/index.php?c=[sql].

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query. Additionally, parameterized queries should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
Exploit Title:Shopping Cart Script with Affiliate Program SQL Injection
Vendor url:http://www.yourfreeworld.com
Version:n/a
Price:399$
Published: 2010-06-19
Greetz to:Sid3^effects, MaYur, M4n0j, Dark Blue, S1ayer,d3c0d3r,KD and to
all ICW members.
Spl Greetz to:inj3ct0r.com Team, Andhra hackers.com

~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~

Description:

Whether you want to sell digital or physical products, this fully featured
shopping cart script is the perfect solution for managing your business.
With a simple, straightforward administration area, you can add as many
categories and products as you wish, view pending order, past orders, and
email customers. But even better, you can attract affiliates to promote your
online store, and make either a percentage commission or flat rate
commission per sale down to 3 levels as preferred. Emailing affiliates is as
simple as clicking a few buttons, and typing in your message. This quality
script includes built-in product search capability to enable your customers
to find exactly what they're looking for quick smart, and shows featured
products with associated images. You can even offer up to 5 merchant
programs for the convenience of your shoppers. Truly a jam packed script
with many attractive features that you should check out today!

~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~

Vulnerability:

*SQLi Vulnerability

DEMO URL :

http://server/shopcart/index.php?c=[sql]

# 0day n0 m0re #
# L0rd CrusAd3r #