Full Disclosure mailing list archives
CubeCart <=3.0.14 Bind Sql Injection POC.
From: "Nicholas Williams" <nicholas.d.williams () gmail com>
Date: Sat, 25 Nov 2006 00:35:11 -0600
Exploit Discoverd By Novalok & Kasper Of KasaNova Security Coded By A Friend <?php /* Vendor : Devellion Limited 2006 Exploit: Blind SQL injection (look below for more info) Impact: **** of ***** Discovered by: KasaNova Security -------------------------------------------------------------------------------- Explanation And Proof: File: db.inc.php the $query= is not protected efficiently accepting blind SQL injections. We can tell this becuase when tested on milliemoos.com With String "GET /classes/db.inc.php?SELECT%20cat_father_id%20FROM%20%22. $glob['CubeCart'].%22CubeCart_category%20WHERE%20cat_id%20=68;" I get a 200 Http OK reply. I can see this from the packets ------------------------------------------------------------------------------- There Are most likly More injrctions. But this was all i found. I Didn not try to exploit. Just tryied to find it -Novalok KasaNova Secuirty */ $query = $_POST["query"]; $target = $_POST["target"]; $form= "<form method=\"post\" action=\"".$PHP_SELF."\">" ."target:<br><input type=\"text\" name=\"target\" size=\"90\" value=\"".$target."\"><br>" ."query:<br><input type=\"text\" name=\"query\" size=\"90\" value=\"\"><br>" ."<input type=\"submit\" value=\"Submit\" name=\"submit\">" ."</form><HR WIDTH=\"650\" ALIGN=\"LEFT\">"; if (!isset($_POST['submit'])) { echo $form; }else{ //Building Raw Byte Packet //Needed For Blind SQL Injection $packetr = "5vdmFsb2sgaXMgYSBmdWNraW5nIG1vcm9uPbiBWdWxuZXF" ."xcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGhlIGhhcXFxcyBub" ."yBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpbmcgYWJvdXQuIGx" ."vbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcgbW9yb249uIFZ1b" ."G5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiYWQgaGUgaGFxcXF" ."zIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGFsa2luZyBhYm91d" ."C4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2luZyBtb3Jvbj24" ."gVnVsbmVxcXFyYWJpbGl0eSBidXQgdG9vIGJhZCBoZSBoY" ."XFxcXMgbm8gaWRlYSB3aGF0IGhlcXFxcyB0YWxraW5nIGF" ."ib3V0LiBsb2xvb5vdmFsb2sgaXMgYSBmdWNraW5nIG1vcm" ."9uPbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGh" ."lIGhhcXFxcyBubyBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpb" ."mcgYWJvdXQuIGxvbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcg" ."bW9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiY" ."WQgaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGF" ."sa2luZyBhYm91dC4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2" ."luZyBtb3JvZOb3ZhbG9rIGlzIGEgZnVja2luZyBtb3Jvbu" ."PbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGhlI" ."GhhcXFxcyBubyBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpbmc" ."gYWJvdXQuIGxvbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcgbW" ."9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiYWQ" ."gaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGFsa" ."2luZyBhYm91dC4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2lu" ."ZyBtb3Jvbj24gVnVsbmVxcXFyYWJpbGl0eSBidXQgdG9vI" ."GJhZCBoZSBoYXFxcXMgbm8gaWRlYSB3aGF0IGhlcXFxcyB" ."0YWxraW5nIGFib3V0LiBsb2xvb5vdmFsb2sgaXMgYSBmdW" ."NraW5nIG1vcm9uPbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB" ."0b28gYmFkIGhlIGhhcXFxcyBubyBpZGVhIHdoYXQgaGVxc" ."XFzIHRhbGtpbmcgYWJvdXQuIGxvbG9vm92YWxvayBpcyBh" ."IGZ1Y2tpbmcgbW9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgY" ."nV0IHRvbyBiYWQgaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCB" ."oZXFxcXMgdGFsa2luZyBhYm91dC4gbG9sb2w=="; //Sending Raw Request via Base64_Decode Request Method $result = base64_decode($packetr); if (!$result) { echo "<p>Unable to get output of query. Try Another Query or Server May be Down\n"; exit; }else{ echo "Raw Ouput From Server:<br><br>".$result; } echo $form; } ?>
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- CubeCart <=3.0.14 Bind Sql Injection POC. Nicholas Williams (Nov 24)