Companies, like: VP-ASP, X CART, etc. This tutorial is for hacking VP-ASP SHOP. I hope u seen whenever u try to buy some thing on internet with cc, they show u a well programmed form, very secure. They are carts, like vp-asp xcarts. Specific sites are not hacked, but carts are hacked. Below I'm posting tutorial to hack VP ASP cart. Now every site. To Hack Shopadmin Asp Tafsir Quran Pdf The Adventures Of Hatim Episode 1 Free Download Download Autocad 2007 Portable Mf Download Song Piya Re Piya Re Thare Bina Salma Agha Songs Dil Ke Armaan Mp3 Download Return To Nuke Em High Volume 2 Torrent Vst.
Printed from: VP-Cart StoreFront Customer Forum Topic URL:https://www.vpcart.com/virtprog/vpaspforum/topic.asp?TOPIC_ID=689 Printed on: September 08 2020
Topic:
Topic author: toocharming Subject: Recently Hacked Posted on: August 14 2002 22:59:13 Message:
Our VPASP database was hacked into recently. The hacker successfully discovered the correct username/password combination to log into the Administration page. I wrote some asp scripts to email us whenever someone attempts to access shopadmin.asp or shopadmin1.asp. I am also writing some additional code to lock out unsuccessful login after 3 attempts. I am further considering a SSL certificate. Anyone else experience hacking recently? Tom
Replies:
Reply author: kwjoey Replied on: January 30 2003 06:45:17 Message:
I just got hacked. The hacker changed my admin password in the database. I don't understand how this happened. My database is located in the directory- C:DATA It is not browsable. Is it possible to hack into the directory from the domain name? Like typing http://domain.com/c:/data ..cause I don't think so. I'm using VPASP 3.50. I had removed all files used for conversion and installation, as well as all files starting with C, the Session list utility, Database test utility, and the Template testing utility. Of course my password was changed from the default one. Here's what wasn't done before I was hacked. I didn't change the name of my login page so the hacker could get to that. And I didn't use the login page with the 2nd password that hard-coded in shopadmin.asp. I have since done this. I figure the hacker must have used a brute force attack to crack the password because the db file was not downloadable. Does anybody have any other ideas for me?
Reply author: Superal Replied on: January 30 2003 15:57:05 Message:
I take it that you have your own server. There are many security issues that pertain to servers alone. Without these measures in place, VPASP is vulnerable. Remember these guys have tools to open the cracks in the server holes. Close em. Look at the lastest virus attacks on servers only. The security issue has been known for over 6 months but unless you are persistant on updating you see what happens.
Reply author: Superal Replied on: January 30 2003 16:10:21 Message:
Just for instance I immediately found a butcher shop in the UK that has left shopdbtest available. No problem for me, no problem for others! Man oh man there are dozens! Snikeees! Now if I were a crook or a smacker I could have a lot of fun. Edited by - superal on January 30 2003 16:18:09
Reply author: mohajali Replied on: May 29 2003 11:48:27 Message:
hi there every body look at this website: http://www.google.com/search?q=allinurl:shopadmin.asp&hl=en&lr=&ie=UTF-8&oe=UTF-8&start=230&sa=N there is 360 vulnerable site in this vuln isn't there is any1 to contact them and tell then that they are vulnerable
VP-Cart StoreFront Customer Forum : https://www.vpcart.com/virtprog/vpaspforum/
1. Change your password This should be the first thing that you do when working with VP-CART.
To change your password:
Go to the Occasional Tasks in your shopping cart administration
Select the Admin Users in the Users section
Select Admin and click on edit
Enter a new userid and password
Click continue
Carlsbro eclipse 12 manual 2017. Note: You should complete this process for the VPCART user as well, or delete it.
2. Add a second password As the default passwords are stored in a database, it is important to add a second password that is not stored in the same place. By adding a second password you can ensure that your admin page has maximum security.
Download your admin login page (shopadmin.asp) via your FTP client, or locate it on your local machine
Open the shopadmin.asp file
Locate the const SecondPassword=' line
Enter your second password between the inverted commas i.e. the code should now read: const SecondPassword='yoursecondpassword'
Save the file
Users viewing files on the remote server only: FTP the new file onto your remote server, overwriting the original file.
3. Rename your Admin Page For increased security, it is recommended that the admin log in page is made a stand-alone page with no reference to it in the database. Follow these easy steps to rename your Admin page:
Download your admin login page ( shopadmin.asp ) via your FTP client, or locate it on your local machine
Rename the file by right-clicking on the file name and selecting Rename
Open the file with Notepad or an HTML editor
Locate the following line (approx. line 5): • const xadminpage = “shopadmin.asp”
Replace shopadmin.asp with the file name (from step 2 above). It should now read: • const xadminpage = “youradminloginpage.asp”
Users viewing files on the remote server only: FTP the new file onto your remote server and delete the old shopadmin.asp file.
To enter your administration pages, you will now need to browse to your new administration page (i.e. http://localhost/shopping/youradminloginpage.asp)
4. Setting your xadminmenucheck - Version 6.50 and earlier only As an enhanced security feature, setting your Xadminmenucheck = yes will ensure that each menu used is checked against the list of menus available to that administrative userid.
To change this setting:
Go to the Set-Up Menu in your shopping cart administration
Select the Administration Security menu item
Locate the Xadminmenucheck setting and select “Yes” from the drop down menu
Click “Save Changes”
5. Setting your xrestrictadmintables This security setting will ensure that tables are limited to those administrators given permission to access them.
To change this setting:
Go to the Set-Up Menu in your shopping cart administration
Select the Administration Security menu item
Locate the xrestrictadmintables setting and select “Yes” from the drop down menu
Click “Save Changes”
6. Setting your xshowadmin This feature allows the shopadmin.asp to be displayed if an error occurs – by setting this to ‘No' a general error message page will be displayed. This is an enhanced security feature against hackers and the recommended setting is ‘No'.
To change this setting:
Go to the Set-Up Menu in your shopping cart administration
Select the Administration Security menu item
Locate the xshowadmin setting and select “No” from the drop down menu
Click “Save Changes”
7. Changing the database name Note: this is for Access users ONLY! It is recommended that you rename your database by giving it a name that is unique and hard to guess. Changing your database name:
Rename your database (default name in VP-CART 6.0 is shopping600 )
Open the shop$config.asp file
Locate the const xDatabase= line and insert your new database name between the inverted commas. i.e. the code should now read: • const xDatabase='YourName' 'Database name
Click “Save Changes”
7. Removing all diagnostic files
Delete all files starting with the word “convert”. These files include the following:
convertsql.asp
convert600.asp
convert600imageupload.txt
convert600access.txt
convert600config.txt
convert600sqlserver.txt
convertcategories.asp
convertconfig.asp
convertproducts.asp
create600mysql.txt
create600admin.txt
create600demo.txt
create600sqlserver.txt
Please note: if you have an earlier version, these files will have that version number in their name instead of '600' – e.g. create500demo.txt
Remote Users: Please ensure that you have deleted all these files on both your local PC, and your remote server.
8. Removing all files starting with “diag” Delete all files starting with “diag”. These files include the following:
diag_dbtest.asp
diag_sessionlist.asp
diag_findfiles.asp
diag_smstest.asp
diag_mysqlbtest.asp
Remote Users:Please ensure that you have deleted all these files on both your local PC, and your remote server.
Inurl: Shopadmin.asp
9. Encrypting Credit Cards It is important to encrypt any credit card information that you are taking through your site – and to ensure that the encryption code used is different to that in the Payments section of the configuration. This is important so that if a hacker does somehow manage to download your database, it will do them no good as the information it contains will be encrypted.
To set your encryption:
Download the shop$config.asp file via your FTP client, or locate it on your local machine
Open the shop$config.asp file using notepad or an HTML editor
Locate const xencryptkey = 'agabAhjBcG' line and insert your encryption key i.e. the code should now read: • const xencryptkey = 'yourencryptionkey'
Save the file
Users viewing files on the remote server only: FTP the new file onto your remote server, overwriting the original file.
10. Credit Card Storage Settings VP-CART recommends that you do not store credit card numbers.
If you take credit card numbers into your system rather than using a Payment Gateway, we recommend that you delete the credit card number as soon as the order has been processed. This can either be done manually, or the shopa_displayorders.asp page can be set to delete credit card numbers automatically when the order is marked as processed.
To Hack Shopadmin Asphalt 8
In order to automatically delete credit card numbers as soon as an order is processed, simply:
Download the shopa_displayorders.asp file via your FTP client, or locate it on your local machine
Open the shopa_displayorders.asp page
Locate the following code (around line 341 depending on the version your are running) : • Sub MarkProcessed (Item) • • 'Response.write 'item=' & item • • sql= 'update orders set oprocessed = 1 where orderid =' & item • • dbc.Execute sql • • If getconfig('xmailprocessed')='Yes' then • • • MailProcessedOrder dbc, item • • end if • End sub
The bold code above should be removed and replaced with : • 'sql= 'update orders set oprocessed = 1 where orderid =' & item • sql= 'update orders set oprocessed = 1, ocardno=0000 where orderid =' & item
Save the file
Users viewing files on the remote server only: FTP the new file onto your remote server, overwriting the original file.
All orders should now be printed and processed immediately. Credit card numbers will be deleted as soon as an order is processed in the admin.
11. Securing your Database Note: this is for Access users ONLY! If your database is not in a secure location, with the correct setting, hackers may be able to download through the web browser. To secure your database folder you will need to update your IIS settings, and the NTFS properties on your database folder. To test if your settings are correct, attempt to browse to your database (e.g. http://localhost/shopping/database). You should receive a “ The Page cannot be displayed ” error. If you do not receive this error and your database starts to download, please follow the steps below. If a third party is hosting your website, you will need to check that you have been provided with a database directory and that the correct permissions have been set. If you are uncertain, please contact your web host and ensure that the following have been set:
To Hack Shopadmin Asp Access
Read and write permissions on the database folder in your shopping sub-directory need to be set (the READ/WRITE must be set in the NTFS on the database folder, and not the file itself)
Read access must be removed from IIS on the folder that the database will be stored in
To Hack Shopadmin Aspen
Setting IIS permissions on your database folder
Click on Start , then on Control Panel , then double-click on Administrative Tools
Double-click on Internet Information Services
Browse to your database folder by expanding the menus on the left
Right click on your database folder and select Properties
Uncheck the Read box
Click Apply
Click OK
To Hack Shopadmin Aspirin
Setting up database permissions
Open up your VP-CART directory ( C:/InetPub/wwwroot/shopping/database for local hosts)
Right-click on your database folder, and then click on Properties
Click on the Security tab in the dialog box window
Select Everyone or Users and then click on the Advanced button
Select Everyone or Users in the Permission Entries
Check “Replace permission entries on all child objects with entries shown here that apply to child objects”
Uncheck “Inherit from parent the permission entries…” then click Copy in the dialog window (if applicable)
Click on Apply
A security window will pop-up, select Yes
Select the Everyone or Users Group, and ensure that Allow box is only checked for Read and Write
