[webapps / 0day] - WebXpress! SQL Injection + admin session
Posted on 16 December 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>WebXpress! SQL Injection + admin session | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='WebXpress! SQL Injection + admin session by Sudden_death in webapps / 0day | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>======================================== WebXpress! SQL Injection + admin session ======================================== # Exploit Title : WebXpress! SQL Injection # Author : Sudden_death (suddendeath404@yahoo.com) # Platform/Tested on: Windows XP 2 SP 2 # myweb : http://sudden.isgreat.org # Version : none # Software Link: : http://www.webx-press.com/ # dork : your imagination ====================================================================== # vuln here http://127.0.0.1/path/product_list.php?id=[sqli] and register and then log in as usual continue to search for admin page, admin session for ordinary members the same access rights as super admin at the time we opened the admin page. Greets :| bumble_be | kiddies | patriot | Mr.SoOofe | petimati | white hat | Syst3m_RtO | MISTERFRIBO | CS-31 | d43ngCyb3r | zee eichel | ne0 d4rk fl00d3r | Ichito-Bandito | james0baster | kaMtiEz | Man In Black | otong | r3m1ck's | shadowsmaker | SyNTaX ErRoR | iJoo | FLYFF666 | LOL1ds | Md_holic | cah_surip | angga | demnas | ELV1N4 | jonathan | virgi | scr34mz | Kimmonosz | pL4nkt0n | RxN7 | jos_ali_jo | 45tr0_k1ll1n9 | huda_style | zalezero | CireSoft49 | r4tu_le64h | cruzen | ranggamagic | Mbah_semar | and all crew's yang ga bisa ane sebutin satu persatu | Spesial thanks : [ indonesianhacker.or.id | tecon-crew.org | devilzc0de.org | makassarhacker.com ] note : jangan mengatakan setiap apa yang engkau ketahui tapi ketahuilah setiap apa yang kau katakan! # <a href='http://1337db.com/'>1337db.com</a> [2010-12-16]</pre></body></html>
