Google Search: inurl:shopdbtest.asp
klouw rates this entry 10 out of 10.
Submitted: 2004-10-10 09:50:09
Added by: klouw
shopdbtest is an ASP page used by several e-commerce products. A vulnerability in the script allows remote attackers toview the database location, and since that is usually unprotected, the attacker can then download the web site’s database by simly clicking on a URL (that displays the active database). The page shopdbtest.asp is visible to all the users and contains the full configuration information. An attacker ca therefore download the MDB (Microsoft Database file), and gain access to sensitive information about orders, users, password, ect.
2004-11-15 11:18:54 (Anonymous): [quote]A vulnerability in the script allows remote attackers toview the database location, and since that is usually unprotected, the attacker can then download the web site’s database by simly clicking on a URL (that displays the active database).
Wheres address of database in the asp file . Didnt got it :-/
2004-12-19 00:35:04 (mrc0de): to answer the question above mine…
then look there and i saw…
then i saw …
const xDatabase=”shopping300″ ‘Database name
const xdblocation=”" ‘location of database relative to VP-ASP files
So i did http://host/shopping/shopping300.mdb –> Save As File!
igot the file and its pretty darn big… how the hell do i read this crap? tried opening it in notepad… nope… not plain text.. what program can read MDB?
sorry i never use db progz
Anyhow… This trick was FUN
2004-12-19 01:07:08 (mrc0de): k used an MS access DB viewr… dbtool… NICE didnt have any cust records but i did find the admins pass and username.. as well as his companys contact info… think i’ll fax him a copy of his own database…
2005-09-20 00:03:24 (ndndnnd): i have tried so had to get results but they are just too many pages to search for what one is looking for so i ask i need does anyone know where i can get cc and cvv information urgetly needed.
2005-11-02 14:42:50 (Anonymous):
Google It, You Moron..>
Internet Lesson 101: Always check
Google before asking a question.
Someone thinks you are a moron, and just gave you a link here because you
asked a question that would have been easily answered with a quick
Next time search Google before asking a question, and only if you couldn’t
find anything should you ask someone for help.
Have a good day. ;)
2006-01-17 13:58:37 (herlihey): sometimes the db’s deny you read access…but otherwise a great trick!
2006-01-23 01:16:45 (Hawkmyster): A very interesting little hack indeed………..though some of the sites accessed do seem somewhat inactive!?! It seems that credit card info is not kept in the databases of most sites……since it is illegal to do so according to some sources. Any how……being able to pull down someones database containing customers, suppliers, orders, products, etc is nothing to be sneezed at………….a security hole for sure.
2006-01-27 04:57:45 (rmm2): nice one…
but most sites have a xDblocation like this:
is there any way to still get the .mdb?