Squirrelcart PRO 3.0.0 – Blind SQL Injection

• Exploit Database
• 14 阅读

• 作者： Salvatore Fresta
  日期： 2010-10-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15300/

• Squirrelcart PRO 3.0.0 Blind SQL Injection Vulnerability
  
   NameSquirrelcart PRO
   Vendorhttp://www.squirrelcart.com
   Versions Affected 3.0.0
  
   AuthorSalvatore Fresta aka Drosophila
   Website http://www.salvatorefresta.net
   Contact salvatorefresta [at] gmail [dot] com
   Date2010-10-21
  
  X. INDEX
  
   I.ABOUT THE APPLICATION
   II. DESCRIPTION
   III.ANALYSIS
   IV. SAMPLE CODE
   V.FIX
   
  
  I. ABOUT THE APPLICATION
  ________________________
  
  Squirrelcart PROisacommercialandusedPHP/MySQL
  e-commerce system.
  
  I tested only the demo versions.Other versions could be
  vulnerable. I obtained the demo's version value fromthe
  staff.
  
  
  II. DESCRIPTION
  _______________
  
  A parameter is not properly sanitisedbeforebeing used
  in a SQL query.
  
  
  III. ANALYSIS
  _____________
  
  Summary:
  
   A) Blind SQL Injection
   
  
  A) Blind SQL Injection
  ______________________
  
  The parameters prod_rn in index.php whenadd_to_cartis
  set to a positive value is not properly sanitisedbefore
  beingusedin aSQLquery. Thiscanbe exploited to
  manipulateSQLqueries by injecting arbitrary SQL code.
  
  Thisvulnerabilitydoesn'trequiresto belogged in.
  
  Successful exploitation requires thatthefirst part of
  the injection (in the sample code it is 271)mustbea
  valid product number (just see the products list).
  
  
  IV. SAMPLE CODE
  _______________
  
  A) Blind SQL Injection
  
  http://site/path/index.php?add_to_cart=10&prod_rn=271 AND (SELECT(IF(0x41=0x41, BENCHMARK(9999999999,NULL),NULL)))
  
  V. FIX
  ______
  
  No fix.