Tochin Ecommerce Multiple Remote Vulnerability

vendor:

Ecommerce

by:

cyberlog

8,8

CVSS

HIGH

SQL Injection and Cross Site Scripting

89 (SQL Injection) and 79 (Cross Site Scripting)

CWE

Product Name: Ecommerce

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

Tochin Ecommerce Multiple Remote Vulnerability

The vulnerability exists in the product.php page of Tochin Ecommerce, where an attacker can inject malicious SQL queries or Cross Site Scripting payloads in the product_id parameter.

Mitigation:

Input validation and sanitization should be implemented to prevent malicious payloads from being injected.

Source

Exploit-DB raw data:

===============================================
Tochin Ecommerce Multiple Remote Vulnerability
===============================================


               __                  __               
 .----..--.--.|  |--..-----..----.|  |.-----..-----.
 |  __||  |  ||  _  ||  -__||   _||  ||  _  ||  _  |
 |____||___  ||_____||_____||__|  |__||_____||___  |
       |_____|                               |_____|

####################################################
# Tochin Ecommerce Multiple Remote Vulnerability
####################################################
# Vendor: http://www.tochin.net/
# Discovered by : cyberlog
# Site          : Sekuritionline.net
# Channel       : #SekuritiOnline [ Now Just My Bot ] :P
# Dork          : "Not me give to lamers"
# Exploit       : 
                  [site]/product.php?product_id=[SQL Injection]
                  [site]/product.php?product_id=[Cross Site Scripting]

# Thanks        : r0073r,adhietslank, k1n9k0ng, cr4wl3r,cah_gemblunkz,
                  jayoes,thesims,setiawan,irvian,EA_Angel,BlueSpy,SoEy,A-technique,Jantap,KiLL,
                  SarifJedul,wiro gendeng,Letjen,ridho_bugs,Ryan Kabrutz,Mathews, aurel666

# special to Mama Sri Rahayu, Member& Staff Sekuritonline, C0li a.k.a antisecurity [ pinjem script perl-na ] :), 
# Inj3ct0r Now Brothers with Sekuritionline
                
####################################################
# Demo: 
# http://localhost/product.php?product_id=[SQL Injection]
# http://localhost/product.php?product_id=[Cross Site Scripting]
       
####################################################

We never die !!!! indonesian Underground Community
!!!!! anjing buat oknum Pemerintah yang suka nilep uang rakyat !!!
!!!!! anjing juga buat admin site indon3sia yang merasa sok h3bat, dikasih tahu ada hole malah nyolot !!!!!

KacrUt I h@te U :P [ jika kau tidak mau aku katakan LOv3 ]
Give me NOCAN Brothers :P
am nt hacker just Lik3 Syst3m S3curity



                __                  __  __    __                __  __               
 .-----..-----.|  |--..--.--..----.|__||  |_ |__|.-----..-----.|  ||__|.-----..-----.
 |__ --||  -__||    < |  |  ||   _||  ||   _||  ||  _  ||     ||  ||  ||     ||  -__|
 |_____||_____||__|__||_____||__|  |__||____||__||_____||__|__||__||__||__|__||_____|