[Full-disclosure] CubeCart <=3.0.14 Bind Sql Injection POC.
Nicholas Williams
nicholas.d.williams at gmail.com
Sat Nov 25 06:35:11 GMT 2006
Exploit Discoverd By Novalok & Kasper Of KasaNova Security
Coded By A Friend
<?php
/*
Vendor : Devellion Limited 2006
Exploit: Blind SQL injection (look below for more info)
Impact: **** of *****
Discovered by: KasaNova Security
--------------------------------------------------------------------------------
Explanation And Proof:
File: db.inc.php
the $query= is not protected efficiently accepting blind SQL injections.
We can tell this becuase when tested on milliemoos.com
With String "GET /classes/db.inc.php?SELECT%20cat_father_id%20FROM%20%22.
$glob['CubeCart'].%22CubeCart_category%20WHERE%20cat_id%20=68;"
I get a 200 Http OK reply. I can see this from the packets
-------------------------------------------------------------------------------
There Are most likly More injrctions. But this was all
i found. I Didn not try to exploit. Just tryied to find it
-Novalok
KasaNova Secuirty
*/
$query = $_POST["query"];
$target = $_POST["target"];
$form= "<form method=\"post\" action=\"".$PHP_SELF."\">"
."target:<br><input type=\"text\" name=\"target\" size=\"90\"
value=\"".$target."\"><br>"
."query:<br><input type=\"text\" name=\"query\" size=\"90\"
value=\"\"><br>"
."<input type=\"submit\" value=\"Submit\" name=\"submit\">"
."</form><HR WIDTH=\"650\" ALIGN=\"LEFT\">";
if (!isset($_POST['submit']))
{
echo $form;
}else{
//Building Raw Byte Packet
//Needed For Blind SQL Injection
$packetr = "5vdmFsb2sgaXMgYSBmdWNraW5nIG1vcm9uPbiBWdWxuZXF"
."xcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGhlIGhhcXFxcyBub"
."yBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpbmcgYWJvdXQuIGx"
."vbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcgbW9yb249uIFZ1b"
."G5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiYWQgaGUgaGFxcXF"
."zIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGFsa2luZyBhYm91d"
."C4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2luZyBtb3Jvbj24"
."gVnVsbmVxcXFyYWJpbGl0eSBidXQgdG9vIGJhZCBoZSBoY"
."XFxcXMgbm8gaWRlYSB3aGF0IGhlcXFxcyB0YWxraW5nIGF"
."ib3V0LiBsb2xvb5vdmFsb2sgaXMgYSBmdWNraW5nIG1vcm"
."9uPbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGh"
."lIGhhcXFxcyBubyBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpb"
."mcgYWJvdXQuIGxvbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcg"
."bW9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiY"
."WQgaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGF"
."sa2luZyBhYm91dC4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2"
."luZyBtb3JvZOb3ZhbG9rIGlzIGEgZnVja2luZyBtb3Jvbu"
."PbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGhlI"
."GhhcXFxcyBubyBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpbmc"
."gYWJvdXQuIGxvbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcgbW"
."9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiYWQ"
."gaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGFsa"
."2luZyBhYm91dC4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2lu"
."ZyBtb3Jvbj24gVnVsbmVxcXFyYWJpbGl0eSBidXQgdG9vI"
."GJhZCBoZSBoYXFxcXMgbm8gaWRlYSB3aGF0IGhlcXFxcyB"
."0YWxraW5nIGFib3V0LiBsb2xvb5vdmFsb2sgaXMgYSBmdW"
."NraW5nIG1vcm9uPbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB"
."0b28gYmFkIGhlIGhhcXFxcyBubyBpZGVhIHdoYXQgaGVxc"
."XFzIHRhbGtpbmcgYWJvdXQuIGxvbG9vm92YWxvayBpcyBh"
."IGZ1Y2tpbmcgbW9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgY"
."nV0IHRvbyBiYWQgaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCB"
."oZXFxcXMgdGFsa2luZyBhYm91dC4gbG9sb2w==";
//Sending Raw Request via Base64_Decode Request Method
$result = base64_decode($packetr);
if (!$result) {
echo "<p>Unable to get output of query. Try Another Query or Server May
be Down\n";
exit;
}else{
echo "Raw Ouput From Server:<br><br>".$result;
}
echo $form;
}
?>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061125/07229860/attachment.html
Full-Disclosure is hosted and sponsored by Secunia.