[webapps / 0day] - Squirrelcart PRO 3.0.0 Blind SQL Injectio
Posted on 21 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Squirrelcart PRO 3.0.0 Blind SQL Injection Vulnerability | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Squirrelcart PRO 3.0.0 Blind SQL Injection Vulnerability by Salvatore Fresta in webapps / 0day | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>======================================================== Squirrelcart PRO 3.0.0 Blind SQL Injection Vulnerability ======================================================== Squirrelcart PRO 3.0.0 Blind SQL Injection Vulnerability Name Squirrelcart PRO Vendor http://www.squirrelcart.com Versions Affected 3.0.0 Author Salvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date 2010-10-21 X. INDEX I. ABOUT THE APPLICATION II. DESCRIPTION III. ANALYSIS IV. SAMPLE CODE V. FIX I. ABOUT THE APPLICATION ________________________ Squirrelcart PRO is a commercial and used PHP/MySQL e-commerce system. I tested only the demo versions. Other versions could be vulnerable. I obtained the demo's version value from the staff. II. DESCRIPTION _______________ A parameter is not properly sanitised before being used in a SQL query. III. ANALYSIS _____________ Summary: A) Blind SQL Injection A) Blind SQL Injection ______________________ The parameters prod_rn in index.php when add_to_cart is set to a positive value is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This vulnerability doesn't requires to be logged in. Successful exploitation requires that the first part of the injection (in the sample code it is 271) must be a valid product number (just see the products list). IV. SAMPLE CODE _______________ A) Blind SQL Injection http://site/path/index.php?add_to_cart=10&prod_rn=271 AND (SELECT(IF(0x41=0x41, BENCHMARK(9999999999,NULL),NULL))) V. FIX ______ No fix. # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-21]</pre></body></html>
