Squirrelcart PRO 3.0.0 – Blind SQL Injection

• Exploit Database
• 122 阅读

• 作者： Salvatore Fresta
  日期： 2010-10-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15300/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73

  Squirrelcart PRO 3.0.0 Blind SQL Injection Vulnerability   NameSquirrelcart PRO Vendorhttp://www.squirrelcart.com Versions Affected 3.0.0   AuthorSalvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date2010-10-21   X. INDEX   I.ABOUT THE APPLICATION II. DESCRIPTION III.ANALYSIS IV. SAMPLE CODE V.FIX   I. ABOUT THE APPLICATION ________________________   Squirrelcart PROisacommercialandusedPHP/MySQL e-commerce system.   I tested only the demo versions.Other versions could be vulnerable. I obtained the demo's version value fromthe staff.     II. DESCRIPTION _______________   A parameter is not properly sanitisedbeforebeing used in a SQL query.     III. ANALYSIS _____________   Summary:   A) Blind SQL Injection   A) Blind SQL Injection ______________________   The parameters prod_rn in index.php whenadd_to_cartis set to a positive value is not properly sanitisedbefore beingusedin aSQLquery. Thiscanbe exploited to manipulateSQLqueries by injecting arbitrary SQL code.   Thisvulnerabilitydoesn'trequiresto belogged in.   Successful exploitation requires thatthefirst part of the injection (in the sample code it is 271)mustbea valid product number (just see the products list).     IV. SAMPLE CODE _______________   A) Blind SQL Injection   http://site/path/index.php?add_to_cart=10&prod_rn=271 AND (SELECT(IF(0x41=0x41, BENCHMARK(9999999999,NULL),NULL)))   V. FIX ______   No fix.