tracewar(tracewar@gmail.com) presents.. VP-ASP Getting owned.

****************************************************
Vulnerable Software: VP-ASP Shopping Cart 5.50, OTHERS
Impact: Manipulation of data(SQL Injection ATTACK)
Credits: Mindy, SlickK, Crazycookie(Love you =D), sese
Special thanks to Mudavyne for their song "HAPPY".
****************************************************

While talking about SQL Injections and famous "SITE" systems
using ASP, with a close friend of mine over the efnet network
I told him I'll try to hack the VP-ASP Shopping Cart system
5 Minutes later.. They got owned.
After googeling for other VP-ASP advisories, I found some lame
exploit with a bug that wont even work once so I release
this pwnage to you guys.

And now for the real sh1t:
The Vulnerability exists in the shopaddtocart.asp file under
the query "productid", evil url:

/shopaddtocart.asp?FeatureValue1=1&Feature1=7&FeatureValue2=1&Feature2=9&SM=1&Feature3=1&Feature4=55&Required=7%2C9%2C10%2C140&quantity=1&Order=Order&productid=1'

Just google for some VP-ASP Shopping carts with the following technique:
intitle:"VP-ASP Shopping cart"
and feel free to verify my sh1t, I hope you guys enjoyed the ride.


-tracewar