Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15244
HistoryNov 28, 2006 - 12:00 a.m.

[Full-disclosure] CubeCart <=3.0.14 Bind Sql Injection POC.

2006-11-2800:00:00
vulners.com
16

Exploit Discoverd By Novalok & Kasper Of KasaNova Security
Coded By A Friend
<?php

/*
Vendor : Devellion Limited 2006
Exploit: Blind SQL injection (look below for more info)
Impact: **** of*****
Discovered by: KasaNova Security

Explanation And Proof:

File: db.inc.php

the $query= is not protected efficiently accepting blind SQL injections.
We can tell this becuase when tested on milliemoos.com
With String "GET /classes/db.inc.php?SELECT%20cat_father_id%20FROM%20%22.
$glob['CubeCart'].%22CubeCart_category%20WHERE%20cat_id%20=68;"
I get a 200 Http OK reply. I can see this from the packets

There Are most likly More injrctions. But this was all
i found. I Didn not try to exploit. Just tryied to find it

-Novalok

KasaNova Secuirty

*/

$query = $_POST["query"];
$target = $_POST["target"];

$form= "<form method=\"post\" action=\"".$PHP_SELF."\">"
."target:<br><input type=\"text\" name=\"target\" size=\"90\"
value=\"".$target."\"><br>"
."query:<br><input type=\"text\" name=\"query\" size=\"90\"
value=\"\"><br>"
."<input type=\"submit\" value=\"Submit\" name=\"submit\">"
."</form><HR WIDTH=\"650\" ALIGN=\"LEFT\">";

if (!isset($_POST['submit']))
{

echo $form;

}else{

//Building Raw Byte Packet
//Needed For Blind SQL Injection

$packetr = "5vdmFsb2sgaXMgYSBmdWNraW5nIG1vcm9uPbiBWdWxuZXF"
."xcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGhlIGhhcXFxcyBub"
."yBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpbmcgYWJvdXQuIGx"
."vbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcgbW9yb249uIFZ1b"
."G5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiYWQgaGUgaGFxcXF"
."zIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGFsa2luZyBhYm91d"
."C4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2luZyBtb3Jvbj24"
."gVnVsbmVxcXFyYWJpbGl0eSBidXQgdG9vIGJhZCBoZSBoY"
."XFxcXMgbm8gaWRlYSB3aGF0IGhlcXFxcyB0YWxraW5nIGF"
."ib3V0LiBsb2xvb5vdmFsb2sgaXMgYSBmdWNraW5nIG1vcm"
."9uPbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGh"
."lIGhhcXFxcyBubyBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpb"
."mcgYWJvdXQuIGxvbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcg"
."bW9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiY"
."WQgaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGF"
."sa2luZyBhYm91dC4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2"
."luZyBtb3JvZOb3ZhbG9rIGlzIGEgZnVja2luZyBtb3Jvbu"
."PbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGhlI"
."GhhcXFxcyBubyBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpbmc"
."gYWJvdXQuIGxvbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcgbW"
."9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiYWQ"
."gaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGFsa"
."2luZyBhYm91dC4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2lu"
."ZyBtb3Jvbj24gVnVsbmVxcXFyYWJpbGl0eSBidXQgdG9vI"
."GJhZCBoZSBoYXFxcXMgbm8gaWRlYSB3aGF0IGhlcXFxcyB"
."0YWxraW5nIGFib3V0LiBsb2xvb5vdmFsb2sgaXMgYSBmdW"
."NraW5nIG1vcm9uPbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB"
."0b28gYmFkIGhlIGhhcXFxcyBubyBpZGVhIHdoYXQgaGVxc"
."XFzIHRhbGtpbmcgYWJvdXQuIGxvbG9vm92YWxvayBpcyBh"
."IGZ1Y2tpbmcgbW9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgY"
."nV0IHRvbyBiYWQgaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCB"
."oZXFxcXMgdGFsa2luZyBhYm91dC4gbG9sb2w==";

//Sending Raw Request via Base64_Decode Request Method

$result = base64_decode($packetr);
if (!$result) {
echo "<p>Unable to get output of query. Try Another Query or Server May
be Down\n";
exit;
}else{

echo "Raw Ouput From Server:<br><br>".$result;

}

echo $form;

}
?>