Waraxe IT Security Portal
Login or Register
November 21, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 59
Members: 0
Total: 59
Full disclosure
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
4 vulnerabilities in ibmsecurity
32 vulnerabilities in IBM Security Verify Access
xlibre Xnest security advisory & bugfix releases
APPLE-SA-10-29-2024-1 Safari 18.1
SEC Consult SA-20241030-0 :: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) (CVE-2024-23600)
SEC Consult SA-20241023-0 :: Authenticated Remote Code Execution in Multiple Xerox printers (CVE-2024-6333)
APPLE-SA-10-28-2024-8 visionOS 2.1
APPLE-SA-10-28-2024-7 tvOS 18.1
APPLE-SA-10-28-2024-6 watchOS 11.1
APPLE-SA-10-28-2024-5 macOS Ventura 13.7.1
APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> [ECHO_ADV_13$2005]Multiple Vulnerabilities in MetaCart eShop
Post new topicReply to topic View previous topic :: View next topic
[ECHO_ADV_13$2005]Multiple Vulnerabilities in MetaCart eShop
PostPosted: Mon May 16, 2005 11:35 pm Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




Code:

--------------------------------------------------------------------------
Multiple Vulnerabilities in MetaCart e-Shop
---------------------------------------------------------------------------

Author: Dedi Dwianto
Date: May, 16th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv13-theday-2005.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : MetaCart e-Shop
version: All version of MetaCart e shop Products
url : http://www.metalinks.com
Author: MetaLinks Online Design
Description:

MetaCart e-Shop Is shopping cart application for small businesses
and support ms SQL,MS Access and MySQL.

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Cross-Site Scripting (XSS)

File productsByCategory.asp

http://[url]/mcartlite/productsByCategory.asp?intCatalogID=1&strCatalog_NAME=<script>alert('test')</script>

Problem Script productsByCategory.asp

--------------
strCatalog_name = Request.QueryString("strCatalog_NAME")
...
...
strParam = Response.Write (rsCatalog("catalogID")) &strCatalog_NAME=Response.Write

(Server.URLEncode(rsCatalog("catalogName"))) &rsCatalog("catalogName")

--------------

B. SQL Injection

File productsByCategory.asp
http://[url]/mcartlite/productsByCategory.asp?strSubCatalogID=2'(Sql Injection)

Problem Script

---------------
intCatalogID = Request.QueryString("intCatalogID")
...
...
' Build SQL String using the parameters
strSQL = "SELECT productID,productName,productPrice FROM products WHERE catalogID
= '"&strParam&"'"

---------------

Ex : http://www.metalinks.com/mcartlite/productsByCategory.asp?strSubCatalogID=2'having
1=1--
Error :
Microsoft JET Database Engine error '80040e14'
Syntax error in string in query expression '1=1--''.
/mcartlite/productsByCategory.asp, line 114

File strCatalog_NAME
http://[url]/mcartlite/product.asp?intProdID=1'(SQL Injection)

Problem Script product.asp line 102

---------------
intProdID = Request.QueryString("intProdID")
...
...
Set rsProdInfo = Conn.Execute("SELECT * FROM " & _
"products where productID="&intProdID)
if rsProdInfo.EOF then
Response.Write "Product Number " & intProdID & _
" does not exist."
---------------

C. Solution
Using Replace String For Filter some character
- productsByCategory.asp

* Find
intCatalogID = Request.QueryString("intCatalogID")
After,add
intCatalogID = Replace(intCatalogID,"'","")
* Find
strCatalog_name = Request.QueryString("strCatalog_NAME")
After,add
strCatalog_name = Replace(strCatalog_NAME,"<","")

- product.asp

* Find
intProdID = Request.QueryString("intProdID")
After,add
intProdID = Replace(intProdID,"'","")



---------------------------------------------------------------------------

Shoutz:
~~~~~~~

~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ Lieur Euy , MSR
~ newbie_hacker yahoogroups com ,
~ #e-c-h-o@DALNET

---------------------------------------------------------------------------
Contact:
~~~~~~~~

the_day || echo|staff || the_day[at]echo[dot]or[dot]id
Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------


one of my staff found it, and even the developer site vuln against this Smile;
also provided from
bugtraq

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
[ECHO_ADV_13$2005]Multiple Vulnerabilities in MetaCart eShop
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.034 Seconds