[ic] SQL Injection?
Mike Heins
mikeh at perusion.com
Wed Sep 24 10:46:36 UTC 2014
Quoting Bob Puff (bob at nleaudio.com):
> Hi Guys,
>
> I've corrected all the [sql ... entries in my cart, but yet I cannot find
> where mv_click or the search stuff is done, that is reported below. I've
> looked in all the pages, and in all the templates. Where do I find this?
>
> search.html, process.html, and next_step.html are all files that don't
> actually exist. mv_fail_page - how does that even hit a SQL query?
Did you look in etc/profiles.* or include/profiles? You appear
to be using an old module, CGI::Imagemap. That is used along with
mv_click_map to map IC actions to an image map.
If you have shell access, grep is your friend.
grep -rl Check.Out *
grep -rl Check.Shipping *
That will tell you where in files you might find actions named "Check
Out" and "Check Shipping" which are defined in your mv_click_map. If
the above is very slow you can try:
grep -rl Check.Out catalog.cfg etc/ include/ pages/ variables/ templates/
(You can do the same sort of thing from the Admin tab of the IC admin interface,
using the file search function.)
>
> Bob
>
> reference:
> --------------------------------------------------------------
> Information From Target:
> Service: 80:TCP
> MySQL-style database, SQL SET / WHERE
> Response time:
> 0 seconds normal response
> 16 seconds executing injected delay
> 0 seconds executing injected non-delay
> 15 seconds executing injected delay again
> Sent:
> POST /cgi-bin/cart/search.html?id=PC9Bp9yf HTTP/1.0
> Host: www.hostname.com
> User-Agent: Mozilla/5.0
> Content-length: 160
> Content-Type: application/x-www-form-urlencoded
> Connection: Keep-Alive
> Cookie: MV_SESSION_ID=PC9Bp9yf:207.198.99.27
>
> mv_session_id=PC9Bp9yf&mv_searchtype=db&mv_matchlimit=10&mv_sort_field=category&mv_search_
> field=x'%20xor%20sleep(15)%20/*&mv_substring_match=1&mv_searchspec=123
> Received: HTTP/1.1 200 OK
>
> --------------------------------------------------------------------
> Information From Target:
> Service: 443:TCP
> MS-SQL-style database, SQL SET / WHERE
> Response time:
> 1 seconds normal response
> 16 seconds executing injected delay
> 0 seconds executing injected non-delay
> 15 seconds executing injected delay again
> Sent:
> POST /cgi-bin/cart/process.html HTTP/1.0
> Host: 127.0.0.1
> User-Agent: Mozilla/5.0
> Content-length: 518
> Content-Type: application/x-www-form-urlencoded
> Connection: Keep-Alive
> Cookie: MV_SESSION_ID=PC9Bp9yf:207.198.99.27
>
> mv_session_id=ongV2b9t&mv_doit=refresh&mv_orderpage=ord%2Fbasket&mv_nextpage=index&quantit
> y0=0&quantity0=1&quantity1=0&quantity1=1&quantity2=0&quantity2=1&quantity3=0&quantity3=1&q
> uantity4=0&quantity4=1&quantity5=0&quantity5=1&quantity6=0&quantity6=1&%5C%27mv_click_map%
> 5C%27=%5C%27Check_Out%5C%27&%5C%27mv_click_Check_Out%5C%27=%5C%27%5C%27&mv_click=Check+Out
> &zip=123&%5C%27mv_click_map%5C%27=%5C%27Check_Shipping%5C%27&%5C%27mv_click_Check_Shipping
> %5C%27=%5C%27%5C%27&mv_click=x")%20waitf
>
> ---------------------------------------------------------------------
> Information From Target:
> Service: 443:TCP
> MS-SQL-style database, SQL SET / WHERE
> Response time:
> 1 seconds normal response
> 15 seconds executing injected delay
> 0 seconds executing injected non-delay
> 15 seconds executing injected delay again
> Sent:
> POST /cgi-bin/cart/ord/next_step.html?id=ongV2b9t HTTP/1.0
> Host: 127.0.0.1
> User-Agent: Mozilla/5.0
> Content-length: 341
> Content-Type: application/x-www-form-urlencoded
> Connection: Keep-Alive
> Cookie: MV_SESSION_ID=PC9Bp9yf:207.198.99.27
>
> mv_action=return&mv_nextpage=ord%2Fbilling&mv_failpage=x')%20waitfor%20delay%20'00:00:15'%
> 20/*&mv_form_profile=Check_shipping&fname=123&lname=123&company=123&address1=123&address2=
> 123&city=123&state=123&zip=123&country=123&phone_ship=123&phone_day=123&phone_night=123&em
> ail=123&mv_same_billing=1&email_copy=1&promo_code=123&country_reset=123
> Received: HTTP/1.1 200 OK
> -----------------------------------------------------------------------
>
> _______________________________________________
> interchange-users mailing list
> interchange-users at icdevgroup.org
> http://www.icdevgroup.org/mailman/listinfo/interchange-users
--
Mike Heins
Perusion -- Expert Interchange Consulting http://www.perusion.com/
phone +1.765.253.4194 <mike at perusion.com>
I used to think the whole world stank. Then I found out I had poop
on my mustache. -- Anonymous
More information about the interchange-users
mailing list