CubeCart <=3.0.14 Bind Sql Injection POC.

["Nicholas Williams" <nicholas.d.williams () gmail com>]

Exploit Discoverd By Novalok & Kasper Of KasaNova Security
Coded By A Friend
<?php

/*
Vendor : Devellion Limited 2006
Exploit:  Blind SQL injection (look below for more info)
Impact: **** of *****
Discovered by: KasaNova Security
--------------------------------------------------------------------------------
Explanation And Proof:

File: db.inc.php

the $query= is not protected efficiently accepting blind SQL injections.
We can tell this becuase when tested on milliemoos.com
With String "GET /classes/db.inc.php?SELECT%20cat_father_id%20FROM%20%22.
       $glob['CubeCart'].%22CubeCart_category%20WHERE%20cat_id%20=68;"
I get a 200 Http OK reply. I can see this from the packets
-------------------------------------------------------------------------------

There Are most likly More injrctions. But this was all
i found. I Didn not try to exploit. Just tryied to find it

-Novalok

KasaNova Secuirty

*/

$query = $_POST["query"];
$target = $_POST["target"];

$form= "<form method=\"post\" action=\"".$PHP_SELF."\">"
   ."target:<br><input type=\"text\" name=\"target\" size=\"90\"
value=\"".$target."\"><br>"
   ."query:<br><input type=\"text\" name=\"query\" size=\"90\"
value=\"\"><br>"
   ."<input type=\"submit\" value=\"Submit\" name=\"submit\">"
   ."</form><HR WIDTH=\"650\" ALIGN=\"LEFT\">";

if (!isset($_POST['submit']))
{

echo $form;

}else{

//Building Raw Byte Packet
//Needed For Blind SQL Injection

$packetr = "5vdmFsb2sgaXMgYSBmdWNraW5nIG1vcm9uPbiBWdWxuZXF"
     ."xcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGhlIGhhcXFxcyBub"
     ."yBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpbmcgYWJvdXQuIGx"
     ."vbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcgbW9yb249uIFZ1b"
     ."G5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiYWQgaGUgaGFxcXF"
     ."zIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGFsa2luZyBhYm91d"
     ."C4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2luZyBtb3Jvbj24"
     ."gVnVsbmVxcXFyYWJpbGl0eSBidXQgdG9vIGJhZCBoZSBoY"
     ."XFxcXMgbm8gaWRlYSB3aGF0IGhlcXFxcyB0YWxraW5nIGF"
     ."ib3V0LiBsb2xvb5vdmFsb2sgaXMgYSBmdWNraW5nIG1vcm"
     ."9uPbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGh"
     ."lIGhhcXFxcyBubyBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpb"
     ."mcgYWJvdXQuIGxvbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcg"
     ."bW9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiY"
     ."WQgaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGF"
     ."sa2luZyBhYm91dC4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2"
     ."luZyBtb3JvZOb3ZhbG9rIGlzIGEgZnVja2luZyBtb3Jvbu"
     ."PbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGhlI"
     ."GhhcXFxcyBubyBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpbmc"
     ."gYWJvdXQuIGxvbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcgbW"
     ."9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiYWQ"
     ."gaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGFsa"
     ."2luZyBhYm91dC4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2lu"
     ."ZyBtb3Jvbj24gVnVsbmVxcXFyYWJpbGl0eSBidXQgdG9vI"
     ."GJhZCBoZSBoYXFxcXMgbm8gaWRlYSB3aGF0IGhlcXFxcyB"
     ."0YWxraW5nIGFib3V0LiBsb2xvb5vdmFsb2sgaXMgYSBmdW"
     ."NraW5nIG1vcm9uPbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB"
     ."0b28gYmFkIGhlIGhhcXFxcyBubyBpZGVhIHdoYXQgaGVxc"
     ."XFzIHRhbGtpbmcgYWJvdXQuIGxvbG9vm92YWxvayBpcyBh"
     ."IGZ1Y2tpbmcgbW9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgY"
     ."nV0IHRvbyBiYWQgaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCB"
     ."oZXFxcXMgdGFsa2luZyBhYm91dC4gbG9sb2w==";


//Sending Raw Request via Base64_Decode Request Method

$result = base64_decode($packetr);
if (!$result) {
   echo "<p>Unable to get output of query. Try Another Query or Server May
be Down\n";
   exit;
}else{

echo "Raw Ouput From Server:<br><br>".$result;

}

echo $form;



}
?>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/