AutoPartsWarehouse SQL Injection

AutoPartsWarehouse SQL Injection: Posted Jul 14, 2009; Authored by Gm0; The site at www.autopartswarehouse.com suffers from a remote SQL injection vulnerability. The owner of the site was notified and ignored the person reporting the vulnerability to them.; tags | exploit, remote, sql injection; SHA-256 | 29803409c0aac21040eeeba265375e2500c4809d52ab1c232d1fd9231ea3869e; Download | Favorite | View

AutoPartsWarehouse SQL Injection

==============================================================
===================[¦¦¦¦TeamQuarantine¦¦¦¦]===================
===================[¦¦¦¦     2009     ¦¦¦¦]===================
============[¦¦¦¦TeamQuarantine@hushmail.com¦¦¦¦]=============
===================[¦¦¦¦ Author: Gm0  ¦¦¦¦]===================
==============================================================
==============[¦¦¦¦ autopartswarehouse.com ¦¦¦¦]==============
========[¦¦¦¦ SQL Injection Authentication bypass ¦¦¦¦]=======
==============================================================
==============================================================
A Site Note:
I don't usually post site-specific exploits, but due to the
fact that they have IGNORED all of our attempts to explain this
issue to them, I feel they would learn best if more people
showed them what a problem this could be.  
Be nice...    ;)

==============================================================
======================[¦¦¦¦ USAGE: ¦¦¦¦]======================
==============================================================
Vulnerable: https://www.autopartswarehouse.com/myaccount/login/

1) Fire up your favorite HTTP/HTTPS post/header editor 
   (tamperdata)

2) Supply valid email-address credentials and password (due
   to client-side validation), or simply modify client side
   validaton with firebug to accept "improper" email-address
   formatting

3) Modify 'username' and 'password' parameter values to
   ' OR 1=1--
   (simple, I know, which is why they should be informed)

4) Submit modified request

5) Click 'edit profile' link for proof of logged-in status
   (https://www.autopartswarehouse.com/myaccount/edit_profile/)

==============================================================
====================[¦¦¦¦ FINAL WORD ¦¦¦¦]====================
==============================================================
I _KNOW_ more can be done with this.
Explore, learn, have fun. (be responsible)
Maybe now they will take notice . . .

==============================================================
======================[¦¦¦¦ SHOUTZ ¦¦¦¦]======================
==============================================================
Everyone at TeamQuarantine
Including _YOU_ A.G.
But certainly not J.L.

HA!

Top Authors In Last 30 Days

Red Hat 272 files
Ubuntu 60 files
Debian 19 files
Gentoo 8 files
Apple 5 files
Google Security Research 4 files
Jann Horn 3 files
Spencer McIntyre 3 files
LiquidWorm 3 files
Pierre Kim 2 files

File Archives

Systems

AIX (430)
Apple (2,132)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,172)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,112)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,459)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,018)
UNIX (9,482)
UnixWare (188)
Windows (6,785)
Other

AutoPartsWarehouse SQL Injection

AutoPartsWarehouse SQL Injection

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

AutoPartsWarehouse SQL Injection

Share This

AutoPartsWarehouse SQL Injection

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems