Many convenience can be gotten with the information technology improvement. Similarly with crack method is also easy to do. One that is easy to drain out the content of e-commerce database. In this tutorial we will recognize the weakness of e-commerce Shopping Cart system using ASP shopadmin.asp.
The first step, go to google search engine, and type "allinurl: / shopadmin.asp". This syntax asks google to index all web pages that are shopadmin.asp address.
From the list, select one by one, to find web hacked. At this time part of e-commerce is an self-asp with better security. Replace "shopadmin.asp" with "shopdbtest.asp". This command asks for a web browser page to enter the database form. This page is usually used by administrator to test stability of the database. But. With this page, we can know the name and location of the database. Usually, the database in place in line xdatabase. VP -
Then change the address "shopdbtest.asp" with the database name. Examplehttp://www.sitename.com/shopdbtest.asp change inhttp://www.sitename.com/shopping.mdb. Mdb extention is needed to add in the database for use in Ms. Access. ASP shopping cart has a database that is packed in the form of a mdb file. With this command, it means that we ask the web browser to download database. After the successful download, we can open it using Ms. Access.
Database exploitation.
Usually, the administrator username and password is stored in the “tblUser” Table. While in the store the customer data in the “Customers” table. While in the store transaction data in the “orders” Table. In this table, stored credit card data. If the database is gotten by not responsible person, is this the bad consequences.
The database actually have a lot of download category to access. So, not only by typing the command "allinurl: / shopaadmin.asp" or "shopdbtest asp", but we can use the more interesting search syntax as follows:
shopa_displayorders.asp = Display orders
shopa_editdisplay.asp = categories View / Update Categories
shopa_editdisplay.asp = products View / Update Products
shopa_editdisplay.asp = MyCompany View / Update Your Company Information
shopa_editdisplay.asp = customers View / Update Customers
shopa_editdisplay.asp = ProdFeatures View / Update Product Features
shopa_editdisplay.asp = Subcategories View / Update Subcategories
shopa_editdisplay.asp = orders View / Update Orders
shopa_query.asp = Advanced Query
shopa_user_control.asp = Add / Delete Users
shopa_menu_control.asp = Menus for administrators
shopa_loghist.asp View = History Login history
shopa_editdisplay.asp = shipmethods View / Update Shipping
shopa_reports.asp = Sales Reports by Date
shopa_stock.asp = Low Stock Reports
shopa_searchreports.asp = Display search keywords
From all the syntax above, the most dangerous syntax is shopa_user_control.asp because entry on the most sensitive page where there are special Menu for administrator only. On the shopa_user_control page, hacker can add users, delete users and others with different access rights, depending on the setting menu as he want.
Preventing Database Download.
1. place the database file in a location that is not standard. This can be run if the server has its own
2. Use the mulitple extension database For example shopping.mdb.asp
3. Make an error message that the deliberate, so that when the hacker in action, there is an error message.
The first step, go to google search engine, and type "allinurl: / shopadmin.asp". This syntax asks google to index all web pages that are shopadmin.asp address.
From the list, select one by one, to find web hacked. At this time part of e-commerce is an self-asp with better security. Replace "shopadmin.asp" with "shopdbtest.asp". This command asks for a web browser page to enter the database form. This page is usually used by administrator to test stability of the database. But. With this page, we can know the name and location of the database. Usually, the database in place in line xdatabase. VP -
Then change the address "shopdbtest.asp" with the database name. Examplehttp://www.sitename.com/shopdbtest.asp change inhttp://www.sitename.com/shopping.mdb. Mdb extention is needed to add in the database for use in Ms. Access. ASP shopping cart has a database that is packed in the form of a mdb file. With this command, it means that we ask the web browser to download database. After the successful download, we can open it using Ms. Access.
Database exploitation.
Usually, the administrator username and password is stored in the “tblUser” Table. While in the store the customer data in the “Customers” table. While in the store transaction data in the “orders” Table. In this table, stored credit card data. If the database is gotten by not responsible person, is this the bad consequences.
The database actually have a lot of download category to access. So, not only by typing the command "allinurl: / shopaadmin.asp" or "shopdbtest asp", but we can use the more interesting search syntax as follows:
shopa_displayorders.asp = Display orders
shopa_editdisplay.asp = categories View / Update Categories
shopa_editdisplay.asp = products View / Update Products
shopa_editdisplay.asp = MyCompany View / Update Your Company Information
shopa_editdisplay.asp = customers View / Update Customers
shopa_editdisplay.asp = ProdFeatures View / Update Product Features
shopa_editdisplay.asp = Subcategories View / Update Subcategories
shopa_editdisplay.asp = orders View / Update Orders
shopa_query.asp = Advanced Query
shopa_user_control.asp = Add / Delete Users
shopa_menu_control.asp = Menus for administrators
shopa_loghist.asp View = History Login history
shopa_editdisplay.asp = shipmethods View / Update Shipping
shopa_reports.asp = Sales Reports by Date
shopa_stock.asp = Low Stock Reports
shopa_searchreports.asp = Display search keywords
From all the syntax above, the most dangerous syntax is shopa_user_control.asp because entry on the most sensitive page where there are special Menu for administrator only. On the shopa_user_control page, hacker can add users, delete users and others with different access rights, depending on the setting menu as he want.
Preventing Database Download.
1. place the database file in a location that is not standard. This can be run if the server has its own
2. Use the mulitple extension database For example shopping.mdb.asp
3. Make an error message that the deliberate, so that when the hacker in action, there is an error message.
0 comments:
Post a Comment