| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <be4695aa0611242235w60eb314eq8519ed9cae389ac@mail.gmail.com>
Date: Sat, 25 Nov 2006 00:35:11 -0600
From: "Nicholas Williams" <nicholas.d.williams@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: CubeCart <=3.0.14 Bind Sql Injection POC.
Exploit Discoverd By Novalok & Kasper Of KasaNova Security
Coded By A Friend
<?php
/*
Vendor : Devellion Limited 2006
Exploit: Blind SQL injection (look below for more info)
Impact: **** of *****
Discovered by: KasaNova Security
--------------------------------------------------------------------------------
Explanation And Proof:
File: db.inc.php
the $query= is not protected efficiently accepting blind SQL injections.
We can tell this becuase when tested on milliemoos.com
With String "GET /classes/db.inc.php?SELECT%20cat_father_id%20FROM%20%22.
$glob['CubeCart'].%22CubeCart_category%20WHERE%20cat_id%20=68;"
I get a 200 Http OK reply. I can see this from the packets
-------------------------------------------------------------------------------
There Are most likly More injrctions. But this was all
i found. I Didn not try to exploit. Just tryied to find it
-Novalok
KasaNova Secuirty
*/
$query = $_POST["query"];
$target = $_POST["target"];
$form= "<form method=\"post\" action=\"".$PHP_SELF."\">"
."target:<br><input type=\"text\" name=\"target\" size=\"90\"
value=\"".$target."\"><br>"
."query:<br><input type=\"text\" name=\"query\" size=\"90\"
value=\"\"><br>"
."<input type=\"submit\" value=\"Submit\" name=\"submit\">"
."</form><HR WIDTH=\"650\" ALIGN=\"LEFT\">";
if (!isset($_POST['submit']))
{
echo $form;
}else{
//Building Raw Byte Packet
//Needed For Blind SQL Injection
$packetr = "5vdmFsb2sgaXMgYSBmdWNraW5nIG1vcm9uPbiBWdWxuZXF"
."xcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGhlIGhhcXFxcyBub"
."yBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpbmcgYWJvdXQuIGx"
."vbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcgbW9yb249uIFZ1b"
."G5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiYWQgaGUgaGFxcXF"
."zIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGFsa2luZyBhYm91d"
."C4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2luZyBtb3Jvbj24"
."gVnVsbmVxcXFyYWJpbGl0eSBidXQgdG9vIGJhZCBoZSBoY"
."XFxcXMgbm8gaWRlYSB3aGF0IGhlcXFxcyB0YWxraW5nIGF"
."ib3V0LiBsb2xvb5vdmFsb2sgaXMgYSBmdWNraW5nIG1vcm"
."9uPbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGh"
."lIGhhcXFxcyBubyBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpb"
."mcgYWJvdXQuIGxvbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcg"
."bW9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiY"
."WQgaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGF"
."sa2luZyBhYm91dC4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2"
."luZyBtb3JvZOb3ZhbG9rIGlzIGEgZnVja2luZyBtb3Jvbu"
."PbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGhlI"
."GhhcXFxcyBubyBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpbmc"
."gYWJvdXQuIGxvbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcgbW"
."9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiYWQ"
."gaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGFsa"
."2luZyBhYm91dC4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2lu"
."ZyBtb3Jvbj24gVnVsbmVxcXFyYWJpbGl0eSBidXQgdG9vI"
."GJhZCBoZSBoYXFxcXMgbm8gaWRlYSB3aGF0IGhlcXFxcyB"
."0YWxraW5nIGFib3V0LiBsb2xvb5vdmFsb2sgaXMgYSBmdW"
."NraW5nIG1vcm9uPbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB"
."0b28gYmFkIGhlIGhhcXFxcyBubyBpZGVhIHdoYXQgaGVxc"
."XFzIHRhbGtpbmcgYWJvdXQuIGxvbG9vm92YWxvayBpcyBh"
."IGZ1Y2tpbmcgbW9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgY"
."nV0IHRvbyBiYWQgaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCB"
."oZXFxcXMgdGFsa2luZyBhYm91dC4gbG9sb2w==";
//Sending Raw Request via Base64_Decode Request Method
$result = base64_decode($packetr);
if (!$result) {
echo "<p>Unable to get output of query. Try Another Query or Server May
be Down\n";
exit;
}else{
echo "Raw Ouput From Server:<br><br>".$result;
}
echo $form;
}
?>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists