[ic] SQL Injection?

Mike Heins mikeh at perusion.com
Wed Sep 24 10:46:36 UTC 2014 

Quoting Bob Puff (bob at nleaudio.com):
> Hi Guys, 
> 
> I've corrected all the [sql ... entries in my cart, but yet I cannot find
> where mv_click or the search stuff is done, that is reported below.  I've
> looked in all the pages, and in all the templates.  Where do I find this?
> 
> search.html, process.html, and next_step.html are all files that don't
> actually exist.  mv_fail_page - how does that even hit a SQL query?

Did you look in etc/profiles.* or include/profiles? You appear
to be using an old module, CGI::Imagemap. That is used along with
mv_click_map to map IC actions to an image map.

If you have shell access, grep is your friend.

	grep -rl Check.Out *
	grep -rl Check.Shipping *

That will tell you where in files you might find actions named "Check
Out" and "Check Shipping" which are defined in your mv_click_map. If
the above is very slow you can try:

	grep -rl Check.Out catalog.cfg etc/ include/ pages/ variables/ templates/

(You can do the same sort of thing from the Admin tab of the IC admin interface,
using the file search function.)

> 
> Bob
> 
> reference:
> --------------------------------------------------------------
> Information From Target:
> Service: 80:TCP
> MySQL-style database, SQL SET / WHERE
> Response time:
> 0 seconds normal response
> 16 seconds executing injected delay
> 0 seconds executing injected non-delay
> 15 seconds executing injected delay again
> Sent:
> POST /cgi-bin/cart/search.html?id=PC9Bp9yf HTTP/1.0
> Host: www.hostname.com
> User-Agent: Mozilla/5.0
> Content-length: 160
> Content-Type: application/x-www-form-urlencoded
> Connection: Keep-Alive
> Cookie: MV_SESSION_ID=PC9Bp9yf:207.198.99.27
> 
> mv_session_id=PC9Bp9yf&mv_searchtype=db&mv_matchlimit=10&mv_sort_field=category&mv_search_
> field=x'%20xor%20sleep(15)%20/*&mv_substring_match=1&mv_searchspec=123
> Received: HTTP/1.1 200 OK
> 
> --------------------------------------------------------------------
> Information From Target:
> Service: 443:TCP
> MS-SQL-style database, SQL SET / WHERE
> Response time:
> 1 seconds normal response
> 16 seconds executing injected delay
> 0 seconds executing injected non-delay
> 15 seconds executing injected delay again
> Sent:
> POST /cgi-bin/cart/process.html HTTP/1.0
> Host: 127.0.0.1
> User-Agent: Mozilla/5.0
> Content-length: 518
> Content-Type: application/x-www-form-urlencoded
> Connection: Keep-Alive
> Cookie: MV_SESSION_ID=PC9Bp9yf:207.198.99.27
> 
> mv_session_id=ongV2b9t&mv_doit=refresh&mv_orderpage=ord%2Fbasket&mv_nextpage=index&quantit
> y0=0&quantity0=1&quantity1=0&quantity1=1&quantity2=0&quantity2=1&quantity3=0&quantity3=1&q
> uantity4=0&quantity4=1&quantity5=0&quantity5=1&quantity6=0&quantity6=1&%5C%27mv_click_map%
> 5C%27=%5C%27Check_Out%5C%27&%5C%27mv_click_Check_Out%5C%27=%5C%27%5C%27&mv_click=Check+Out
> &zip=123&%5C%27mv_click_map%5C%27=%5C%27Check_Shipping%5C%27&%5C%27mv_click_Check_Shipping
> %5C%27=%5C%27%5C%27&mv_click=x")%20waitf
> 
> ---------------------------------------------------------------------
> Information From Target:
> Service: 443:TCP
> MS-SQL-style database, SQL SET / WHERE
> Response time:
> 1 seconds normal response
> 15 seconds executing injected delay
> 0 seconds executing injected non-delay
> 15 seconds executing injected delay again
> Sent:
> POST /cgi-bin/cart/ord/next_step.html?id=ongV2b9t HTTP/1.0
> Host: 127.0.0.1
> User-Agent: Mozilla/5.0
> Content-length: 341
> Content-Type: application/x-www-form-urlencoded
> Connection: Keep-Alive
> Cookie: MV_SESSION_ID=PC9Bp9yf:207.198.99.27
> 
> mv_action=return&mv_nextpage=ord%2Fbilling&mv_failpage=x')%20waitfor%20delay%20'00:00:15'%
> 20/*&mv_form_profile=Check_shipping&fname=123&lname=123&company=123&address1=123&address2=
> 123&city=123&state=123&zip=123&country=123&phone_ship=123&phone_day=123&phone_night=123&em
> ail=123&mv_same_billing=1&email_copy=1&promo_code=123&country_reset=123
> Received: HTTP/1.1 200 OK
> -----------------------------------------------------------------------
> 
> _______________________________________________
> interchange-users mailing list
> interchange-users at icdevgroup.org
> http://www.icdevgroup.org/mailman/listinfo/interchange-users

-- 
Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.765.253.4194  <mike at perusion.com>

I used to think the whole world stank. Then I found out I had poop
on my mustache. -- Anonymous

More information about the interchange-users mailing list