SQL injection in qty parameter of cart.php?If you send a single quote (') for the qty parameter,
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***
qty=1%00'
you get a mysql database error message:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1' at line 4If you use two single quotes instead:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***
qty=1%00''
you don't get the error:
HTTP/1.1 302 Found
Date: Thu, 18 Aug 2011 04:21:44 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Location: /login.php?
Vary: Accept-Encoding
Content-Length: 13
Connection: close
Content-Type: text/html
So it looks like the site tries to block SQL injection, but you just URL-encode a NULL (%00) before the quote or whatever's getting blocked, and you've gotten around the filter.
So is this some kind of php extension that's checking for sql injection characters like the single quote?
Did you develop the shopping cart in-house, or is it "third-party" software?
Can you show us the code?
While it doesn't fix or prevent the underlying sql injection issue in the php code, I would have your developer add some more "friendly" and generic error handling so these mysql errors don't get sent back to the user.
I'm sure by the time I finish typing this someone will show you how to actually exploit the sql injection vulnerability.
I will give 0.30BTC for some one to successfully exploit this suggestion.
As a note I have only granted the following privileges scince the beginning of this hack-a-thon "SELECT,UPDATE,INSERT,DELETE"